Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What Query should i use to look for a certain directory in Linux Servers where the data is mounted?

mike000
New Member
‎04-02-2020 01:29 PM

What Query should i use to look for a certain directory in Linux Servers where the data is mounted?

So basically suppose linux server name is abdhw003...

so please help me for the query:

index=*_nix_xxxx sourcetype=df host=abdhw003. So in this case I want to find the "/doc" folder in that server, What would be the query for that?

Any help is appreciated, thanks,

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2020 01:35 PM

Try index=*_nix_xxxx sourcetype=df host=abdhw003 source="/doc*"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mike000
New Member
‎04-02-2020 02:29 PM

I tried:
index=_nix_xxxx sourcetype=df host=abdhw003 MountedOn="/doc" |eval source="/doc*" and that seems to work.

Now I have multiple servers

index=_nix_xxxx sourcetype=df host=abdhw003 OR host=n OR host=n OR host=n or host=n MountedOn="/doc"| eval TotalGBytes= TotalMBytes/1024 | eval UsedGBytes=UsedMbytes/1024 |eval used_pct=100(UsedGBytes/TotalGBytes) | stats max(TotalGBytes) as "MaxSize(GB) max(UsedGBytes) as "UsedSize(GB) as "percentUsed" by MountedOn | search PercentUsed>05| Sort PercentUsed

Now the stats that I am getting is getting totalled(All 5 servers adding each other and showing me a max value) I think as the stats query has max value, How do I show stats of each server at a time? Any Ideas?

Thanks for the help. I appreciate it

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2020 01:35 PM

Try index=*_nix_xxxx sourcetype=df host=abdhw003 source="/doc*"

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mike000
New Member
‎04-02-2020 01:39 PM

Hey Rich,

Thanks for the zipppy response, When I used the one you provide, It did not return any result. It shows
"No results found. Try expanding the time range."

0 Karma
Reply
Solved! Jump to solution

mike000
New Member
‎04-02-2020 01:45 PM

The full query is something like this:

index=_nix_xxxx sourcetype=df host=abdhw003 | eval TotalGBytes= TotalMBytes/1024 | eval UsedGBytes=UsedMbytes/1024 |eval used_pct=100(UsedGBytes/TotalGBytes) | stats max(TotalGBytes) as "MaxSize(GB) max(UsedGBytes) as "UsedSize(GB) as "percentUsed" by MountedOn | search PercentUsed>85| Sort PercentUsed

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2020 01:57 PM

Start off small and add one statement at a time until the query breaks.

index=_nix_xxxx sourcetype=df host=abdhw003 source="/doc*"

If you get no results then you may have no data indexed from a file in the /doc path.
Here's an alternative search:

index=_nix_xxxx sourcetype=df host=abdhw003 "/doc*"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...