Splunk Search

What Query should i use to look for a certain directory in Linux Servers where the data is mounted?

mike000
New Member

What Query should i use to look for a certain directory in Linux Servers where the data is mounted?

So basically suppose linux server name is abdhw003...

so please help me for the query:

index=*_nix_xxxx sourcetype=df host=abdhw003. So in this case I want to find the "/doc" folder in that server, What would be the query for that?

Any help is appreciated, thanks,

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try index=*_nix_xxxx sourcetype=df host=abdhw003 source="/doc*"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

mike000
New Member

I tried:
index=_nix_xxxx sourcetype=df host=abdhw003 MountedOn="/doc" |eval source="/doc*" and that seems to work.

Now I have multiple servers

index=_nix_xxxx sourcetype=df host=abdhw003 OR host=n OR host=n OR host=n or host=n MountedOn="/doc"| eval TotalGBytes= TotalMBytes/1024 | eval UsedGBytes=UsedMbytes/1024 |eval used_pct=100(UsedGBytes/TotalGBytes) | stats max(TotalGBytes) as "MaxSize(GB) max(UsedGBytes) as "UsedSize(GB) as "percentUsed" by MountedOn | search PercentUsed>05| Sort PercentUsed

Now the stats that I am getting is getting totalled(All 5 servers adding each other and showing me a max value) I think as the stats query has max value, How do I show stats of each server at a time? Any Ideas?

Thanks for the help. I appreciate it

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try index=*_nix_xxxx sourcetype=df host=abdhw003 source="/doc*"

---
If this reply helps you, Karma would be appreciated.
0 Karma

mike000
New Member

Hey Rich,

Thanks for the zipppy response, When I used the one you provide, It did not return any result. It shows
"No results found. Try expanding the time range."

0 Karma

mike000
New Member

The full query is something like this:

index=_nix_xxxx sourcetype=df host=abdhw003 | eval TotalGBytes= TotalMBytes/1024 | eval UsedGBytes=UsedMbytes/1024 |eval used_pct=100(UsedGBytes/TotalGBytes) | stats max(TotalGBytes) as "MaxSize(GB) max(UsedGBytes) as "UsedSize(GB) as "percentUsed" by MountedOn | search PercentUsed>85| Sort PercentUsed

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Start off small and add one statement at a time until the query breaks.

index=_nix_xxxx sourcetype=df host=abdhw003 source="/doc*"

If you get no results then you may have no data indexed from a file in the /doc path.
Here's an alternative search:

index=_nix_xxxx sourcetype=df host=abdhw003 "/doc*"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...