J /opt/splunk ext4 7 / 8 89.32

riqbal47010 · ‎12-03-2019

I can see the total number of servers against resource Usage: Deployment:

It is showing me 10 out of 12 as two server are out of service due to disk issue.
below ist he initial search:

| rest /services/server/status/partitions-space splunk_server="*-ID-*" 
        | eval free = if(isnotnull(available), available, free)
        | eval usage = round((capacity - free) / 1024, 2)
        | eval capacity = round(capacity / 1024, 2)
        | eval compare_usage = usage." / ".capacity
        | eval pct_usage = round(usage / capacity * 100, 2)
        | stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by splunk_server,mount_point        
        | rename mount_point as "Mount Point", fs_type as "File System Type", compare_usage as "Disk Usage (GB)", pct_usage as "Disk Usage (%)"

===============
below are sample of result:
splunk_server Mount Point File System Type Disk Usage (GB) Disk Usage (%)
A /opt/splunk ext4 7 / 8 89.32
B /opt/splunk ext4 7 / 8 89.32
C /opt/splunk ext4 7 / 8 89.32
D /opt/splunk ext4 7 / 8 89.32
E /opt/splunk ext4 7 / 8 89.32
F /opt/splunk ext4 7 / 8 89.32
G /opt/splunk ext4 7 / 8 89.32
H /opt/splunk ext4 7 / 8 89.32
I /opt/splunk ext4 7 / 8 89.32

J /opt/splunk ext4 7 / 8 89.32

total number of resutls are 10. whereas actual servers are 12.
so now I want to trigger the alert if count of result !=12

woodcock · ‎12-04-2019

Just add this to the bottom:

... | eventstats count | where count<12

Then set your alarm trigger for Number of results and Greater than 0.

Monitoring console: Splunk Indexer Serves status

J /opt/splunk ext4 7 / 8 89.32

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!