I am working on creating a daily historic report to track the utilization of space on my Splunk file systems. I have a scripted input for "df" run daily on the index servers and now I'm looking to get the value of the percentage of disk full for the file system into a field, so that I can report on it.
My output from my scripted input looks like this:
/volumename/1/
299G 268G 31G 90% /opt/splunk
/volumename/2/
300G 281G 19G 94% /var/lib/splunk
I'm looking to pull the values of 90 and 94 from this output and store them in unique fields. Any thoughts about how to best accomplish this?
If you want to create different fields for these two specific paths, you could just define two separate extractions. First the one for /opt/splunk
:
(?<df_opt_splunk>\d+)%\s+/opt/splunk
And then the corresponding one for /var/lib/splunk
.
(?<df_var_lib_splunk>\d+)%\s+/var/lib/splunk
(note that there's a bug on splunk-base adding another backslash, so it should be just one backslash in the extractions above, not two)
I'm curious though as to why you would want to create two separate fields rather than using just one and then using the path field for identifying which path this percentage is referring to.
If you want to create different fields for these two specific paths, you could just define two separate extractions. First the one for /opt/splunk
:
(?<df_opt_splunk>\d+)%\s+/opt/splunk
And then the corresponding one for /var/lib/splunk
.
(?<df_var_lib_splunk>\d+)%\s+/var/lib/splunk
(note that there's a bug on splunk-base adding another backslash, so it should be just one backslash in the extractions above, not two)
I'm curious though as to why you would want to create two separate fields rather than using just one and then using the path field for identifying which path this percentage is referring to.
Thank you! I was going to use 2 fields just so I could report on them both within the same report. I'm far from ninja status, so I'm sure there may be a more efficient way to do this.,
Yes, they are on separate lines just as shown, although the path I'm most concerned with is what follows the % .
I am looking for field1 to represent the percentage value of /opt/splunk/, and field2 to respresent the percentage value of /var/lib/splunk/
Are the paths and percentage values on separate lines in your output or was that just a formatting issue here on this site? Otherwise I would recommend having both the path and the percentage as it makes things a bit simpler.
Also could you clarify what you mean by unique fields - do you want the field names to be different depending on whether it's /volumename/1 or /volumename/2 being processed?