Hello,
I'm new to Splunk and I'm using it to track several things that are looking really good. One thing I was curious to get working is a search to track the white white space by datastore on our exchange server. Here's an example of one of the events:
20110215060000.000000
Category=6
CategoryString=General
ComputerName=EXSVR01
EventCode=1221
EventIdentifier=1074136261
EventType=3
Logfile=Application
RecordNumber=2444633
SourceName=MSExchangeIS Mailbox Store
TimeGenerated=20110215060000.000000-300
TimeWritten=20110215060000.000000-300
Type=Information
User=NULL
wmi_type=WinEventLog:Application
Message=The database "NWRK\MB1" has 475 megabytes of free space after online defragmentation has terminated.
For more information, click http://www.microsoft.com/contentredirect.asp.
So in the Message area, I'd like to extract the database (NWRK\MB1) and the 475 value for megabytes. Sometimes I get multiple events for the same database in one day, so I'd need to ensure the values are distinct per database and track it over time. This is the search I had so far, and it tells me the total across all databases for the day, however it doesn't filter out the duplicate entries:
sourcetype="WMI:WinEventLog:Application" EventCode="1221" host="EXSVR01" | rex "has (?<mbs>\d+) megabytes of free" | timechart per_day(mbs)
Any ideas would be greatly appreciated, thanks so much!
Regards,
Jared
... View more