- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Get value out of df scripted input for reporting
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am working on creating a daily historic report to track the utilization of space on my Splunk file systems. I have a scripted input for "df" run daily on the index servers and now I'm looking to get the value of the percentage of disk full for the file system into a field, so that I can report on it.
My output from my scripted input looks like this:
/volumename/1/
299G 268G 31G 90% /opt/splunk
/volumename/2/
300G 281G 19G 94% /var/lib/splunk
I'm looking to pull the values of 90 and 94 from this output and store them in unique fields. Any thoughts about how to best accomplish this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to create different fields for these two specific paths, you could just define two separate extractions. First the one for /opt/splunk:
(?<df_opt_splunk>\d+)%\s+/opt/splunk
And then the corresponding one for /var/lib/splunk.
(?<df_var_lib_splunk>\d+)%\s+/var/lib/splunk
(note that there's a bug on splunk-base adding another backslash, so it should be just one backslash in the extractions above, not two)
I'm curious though as to why you would want to create two separate fields rather than using just one and then using the path field for identifying which path this percentage is referring to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to create different fields for these two specific paths, you could just define two separate extractions. First the one for /opt/splunk:
(?<df_opt_splunk>\d+)%\s+/opt/splunk
And then the corresponding one for /var/lib/splunk.
(?<df_var_lib_splunk>\d+)%\s+/var/lib/splunk
(note that there's a bug on splunk-base adding another backslash, so it should be just one backslash in the extractions above, not two)
I'm curious though as to why you would want to create two separate fields rather than using just one and then using the path field for identifying which path this percentage is referring to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! I was going to use 2 fields just so I could report on them both within the same report. I'm far from ninja status, so I'm sure there may be a more efficient way to do this.,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, they are on separate lines just as shown, although the path I'm most concerned with is what follows the % .
I am looking for field1 to represent the percentage value of /opt/splunk/, and field2 to respresent the percentage value of /var/lib/splunk/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are the paths and percentage values on separate lines in your output or was that just a formatting issue here on this site? Otherwise I would recommend having both the path and the percentage as it makes things a bit simpler.
Also could you clarify what you mean by unique fields - do you want the field names to be different depending on whether it's /volumename/1 or /volumename/2 being processed?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
