All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Unix and Linux: How to extract a field with rex to alert when CPU usage is greater than 70%?

sekharsidh
Engager
‎02-25-2016 10:44 AM

I have configured TA nix for our Linux systems and I need to generate an alert when CPU % goes past, lets say, 70%. I think I need to write the rex for this. This is what I am writing:

index=os source=df host = * Filesystem="/dev/mapper/osvg-appbin" OR Filesystem="/dev/mapper/vgapp-appvar" OR "/mqshare" OR "/appdata" | rex "(?\d\d%)" | where UsePct>"30%" | stats count by host,source,UsePct

But it gives me values which are 6% as well. I have very limited knowledge on rex. I need some search which will look for values from 0 % to 100% and alert me if it goes past 70%. Any suggestions will be really helpful and appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sekharsidh
Engager
‎02-25-2016 11:23 AM

I think I got the answer by doing some R&D. Here is the query which seem to work for me:

index=os source=df host = * Filesystem="/dev/mapper/osvg-appbin" OR Filesystem="/dev/mapper/vgapp-appvar" OR "/mqshare" OR "/appdata" | rex "(?\d+)%" | where UsePct>30 | stats count by host,source,UsePct

Result:

host        source  UsePct  count
XXXXXXXX    df      46      12

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sekharsidh
Engager
‎02-25-2016 11:23 AM

I think I got the answer by doing some R&D. Here is the query which seem to work for me:

index=os source=df host = * Filesystem="/dev/mapper/osvg-appbin" OR Filesystem="/dev/mapper/vgapp-appvar" OR "/mqshare" OR "/appdata" | rex "(?\d+)%" | where UsePct>30 | stats count by host,source,UsePct

Result:

host        source  UsePct  count
XXXXXXXX    df      46      12
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...