Splunk Search

How to search all mount points on all hosts to build a report on storage?

fd26645
Path Finder

I am trying to run a search against all hosts, but I am having difficulty figuring out the right approach. A simplified version of what I am looking for is:

index=os sourcetype=df host=system323 mount=/var | streamstats range(storage_used) as storage_growth window=2

But ultimately I want it to search all mount points on all hosts and then send that to a chart or a report.

I tried a few different approaches, but none of them gave me the expected results. I felt like I was on the right path with subsearches because it felt like the equivalent of a for loop, but it did not yield the expected results

index=os sourcetype=df [search index=os sourcetype=df [search index=os sourcetype=df earliest=-1d@d latest=now() | stats values(host) AS host] earliest=-1d@d latest=now() | stats values(mount) AS mount] | streamstats range(storage_used) as storage_growth window=2

How can I take my first search and build a report that will include all hosts and mount points?

0 Karma
1 Solution

acharlieh
Influencer

It looks like you're interested in the changes over time so off the top of my head maybe something like:

index=os sourcetype=df host=* mount=* | streamstats last(storage_used) as last_storage current=f by host,mount | eval host_mount=host.":".mount | eval delta=storage_used-last_storage | timechart sum(delta) by host_mount

View solution in original post

acharlieh
Influencer

It looks like you're interested in the changes over time so off the top of my head maybe something like:

index=os sourcetype=df host=* mount=* | streamstats last(storage_used) as last_storage current=f by host,mount | eval host_mount=host.":".mount | eval delta=storage_used-last_storage | timechart sum(delta) by host_mount

fd26645
Path Finder

Thanks for the suggestion. by host,mount has opened up a new world for me. But it seems like you have manually recreated what range() is supposed to do. Does range not work for this?

0 Karma

acharlieh
Influencer

I'll admit upfront that I haven't used range() before, however from the doc, it seems that range is always positive, instead of varying sign depending on if you have added or removed storage.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...