Hi,
I tried to tansform unix app's data something like this --
[transforms.conf]
[df]
REGEX = ([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([0-9]+)%\s+([^\s]+)
MV_ADD = true
FORMAT = filesystem::$1 type::$2 size::$3 used::$4 avail::$5 usepct::$6 mountedon::$7
[props.conf]
[df]
REPORT-df_field_extraction = df
Now, I am searching following in search app --
index=os sourcetype="df" usepct>20
This should give me information of all the disks that are used more than 20% full but instead it gives me nothing. Any help will be appreciated.
--Edit--
As requested, the output of df command is --
Filesystem Type Size Used Avail UsePct MountedOn
/dev/sda1 ext3 99M 20M 75M 21% /boot
Thanks!
It shouldn't really make a difference but MV_ADD = true
is wrong so just get rid of the whole line and try again.
@bbingham - Thanks for your help! I modified search app's config files and I am searching in context of search app only. I am using unix app to generate this data and nothing else. Also, the output of df command is the way event looks when searched in splunk.
I just noticed you're using the search app, but you modified the unix app file, or did you copy these settings to the search app? Incase you missed, can you also post what the event looks like in splunk.
If you modified the transforms only in the unix app, they may be app specific and you may need to globalize your configuration files.
Hi, I have posted the output for that search.
and also how the actual event looks within Splunk (assuming it is being indexed, try a search for the time the script executed)
Can you post the output of the DF command you are using in the scripted inputs?