Splunk® App for NetApp Data ONTAP (EOL)

Deploy and Use the Splunk App for NetApp Data ONTAP

On June 10, 2021, the Splunk App for NetApp Data ONTAP will reach its end of life and Splunk will no longer maintain or develop this product.

Proactive Monitoring dashboards

Filer view

In the Filer View, search by filer name to display the details of usage for that filer. As with all Splunk searches, select a time range over which you want to collect the data for that filer. You can search using the host name or the system name. The list of filers in your environment is available on the Home Dashboard.

Panel Description
Memory This is the amount of available memory in MB on the filer. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] source="system-get-info" |eval memory-size = 'memory-size'." "."MB" | head 1| table memory-size
CPUs This is the number of CPUs on that host. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] source="system-get-info" | head 1| table number-of-processors
Host This is the IP address of the host. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] source="system-get-info" | head 1| table host
Volumes contained This is the number of volumes on the filer. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] sourcetype="ontap:volume" source="volume-list-info-iter-start" | stats dc(name)
  • Sourcetype that must be present for the view to populate: ontap:volume
Aggregates contained This panel displays the number of Aggregates on the filer. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] sourcetype="ontap:aggr" source="aggr-list-info" | stats dc(name)
  • Sourcetype that must be present for the view to populate: ontap:aggr
Volumes summary This panel displays the name of the Volume and other data relating to the usage of the volume. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] sourcetype="ontap:volume" source="volume-list-info-iter-start" | dedup name | rename "size-total" as sz_total | rename "size-available" as sz_free | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | table name, containing-aggregate, disk-count, percentage-used, "gb-total", "gb-free", snapshot-percent-reserved, host | rename name AS "Volume", containing-aggregate AS "Aggregate", disk-count AS "Disks", percentage-used AS "Used (%)", gb-total AS "Total (GB)", gb-free AS "Free (GB)", snapshot-percent-reserved AS "Snapshot Reserve (%)", host AS "Host"
  • Sourcetype that must be present for the view to populate: ontap:volume
Aggregates summary This panel displays the name of the Aggregate and other data relating to the usage of the aggregate. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] sourcetype="ontap:aggr" source="aggr-list-info" | dedup name | rename "size-total" as sz_total | rename "size-available" as sz_free | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | table name, volume-count, size-percentage-used, "gb-total", "gb-free", host | rename name AS "Aggregate", volume-count AS "Volumes", size-percentage-used AS "Used (%)", gb-total AS "Total (GB)", gb-free AS "Free (GB)", host AS "Host"
  • Sourcetype that must be present for the view to populate: ontap:aggr
Average latency (ms) This chart shows the average latency in milliseconds. The following search powers the panel:
  • Search: | tstats avg("NetAppPerformance.Volume_Performance.read_latency_average") AS read_latency_average, avg("NetAppPerformance.Volume_Performance.write_latency_average") AS write_latency_average, avg("NetAppPerformance.Volume_Performance.other_latency_average") AS other_latency_average from datamodel=NetApp_ONTAP where (nodename = NetAppPerformance.Volume_Performance) groupby _time span=5m, host summariesonly=true | search [search `SystemHostname("$name$")`] | eval read_latency_average=read_latency_average/1000 | eval write_latency_average=write_latency_average/1000 | eval other_latency_average=other_latency_average/1000 | timechart span=5m avg(read_latency_average) AS "Read Latency", avg(write_latency_average) as "Write Latency", avg(other_latency_average) as "Other Latency"
Average CPU Busy (%) This chart shows the amount of CPU used as a percent. The following search powers the panel:
  • Search: | tstats avg("NetAppPerformance.System_Performance.cpu_busy_percent") AS cpu_busy_percent from datamodel=NetApp_ONTAP where (nodename = NetAppPerformance.System_Performance) groupby _time span=5m, host summariesonly=true | search [search `SystemHostname("$name$")`] | timechart avg(cpu_busy_percent) as "Host" by host
Capacity (GB) This chart shows the capacity used in GB. The following search powers the panel:
  • Search: [search `SystemHostname("<IP_address>")`] sourcetype=ontap:volume source="volume-list-info-iter-start" | convert num(size-total) as st | convert num(size-available) as sf | eval "gb-total"=`BytesToGigaBytes(st)` | eval "gb-free"=`BytesToGigaBytes(sf)` | bucket _time span=30m | table _time, name, "gb-total", "gb-free" | dedup _time, name | stats sum("gb-total") as space_used_total sum("gb-free") as space_used_free by _time | timechart span=30m avg(space_used_total) as "total space", avg(space_used_free) as "free space" by host
  • Sourcetype that must be present for the view to populate: ontap:volume
Volumes with highest latency over the past hour (ms) This view shows the volumes with highest latency. The following search powers the panel:
  • Search: sourcetype=ontap:perf source=VolumePerfHandler [search `SystemHostname("$name$")`] | stats avg(avg_latency_average) as avg_latency_average max(avg_latency_average) as avg_latency_max by host,instance_name | eval avg_latency_average=avg_latency_average/1000 | eval avg_latency_max=avg_latency_max/1000 | sort - avg_latency_max | rename instance_name AS "Volume", host AS "Host", avg_latency_average AS "Average Latency", avg_latency_max AS "Max Latency" | head 10
  • Sourcetype that must be present for the view to populate: ontap:perf
Aggregates with the highest transfer rates over the past hour (transfers/S) This view shows the Aggregates with the highest transfer rates over the past hour. The following search powers the panel:
  • Search: sourcetype=ontap:perf source=AggrPerfHandler [search `SystemHostname("$name$")`] | stats avg(total_transfers_rate) as total_transfers_rate_average max(total_transfers_rate) as total_transfers_rate_max by host,instance_name | eval total_transfers_rate_average=total_transfers_rate_average/1000 | eval total_transfers_rate_max=total_transfers_rate_max/1000 | sort - total_transfers_rate_max | rename instance_name AS "Aggregate", host AS "Host", total_transfers_rate_average as "Average Transfer Rate", total_transfers_rate_max as "Max Transfer Rate" | head 10
  • Sourcetype that must be present for the view to populate: ontap:perf
Highest Max User Read Latency Disks over the past hour (ms) This view shows the highest Max User Read Latency Disks over the past hour. The following search powers the panel:
  • Search: sourcetype=ontap:perf source=DiskPerfHandler [search `SystemHostname("$name$")`] | stats avg(user_read_latency_average) as user_read_latency_average max(user_read_latency_average) as user_read_latency_max first(display_name) as display_name by host,instance_name | eval user_read_latency_average=user_read_latency_average/1000 | eval user_read_latency_max=user_read_latency_max/1000 | sort - user_read_latency_max | table host, display_name, user_read_latency* | rename display_name as "Disk", host as "Host", user_read_latency_average as "Average Latency", user_read_latency_max as "Max Latency" | head 10
  • Sourcetype that must be present for the view to populate: ontap:perf

Cluster view

In the Cluster View, search by cluster name to display the details of usage for that NetApp cluster. As with all Splunk searches select a time range over which you want to collect the data for that cluster. You can search using the host IP address or the the "cluster_node_list". The list of cluster mode filers in your environment is available on the Home Dashboard.

Panel Description
Number of nodes This panel displays the number of nodes in the cluster. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] source="cluster-node-get-iter" | stats dc(node-name) as num_nodes
Number of vservers This panel displays the number of virtual servers in the cluster. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] vserver-type="data" | stats dc(vserver-name)
Cluster management server This panel provides the IP address of the cluster management server. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] source="cluster-identity-get" | head 1| table host
Volumes contained This panel displays the number of volumes in the cluster. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] source="volume-get-iter" | stats dc(volume-id-attributes.uuid)
Aggregates contained This panel displays the number of Aggregates in the cluster. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] source="aggr-get-iter" | stats dc(aggregate-uuid)
Volumes summary This table displays the name of the Volume and other data relating to the usage of the volume. .... The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] sourcetype="ontap:volume" source="volume-get-iter" | dedup "volume-id-attributes.uuid" | rename "volume-space-attributes.size-total" as sz_total "volume-space-attributes.size-available" as sz_free "volume-space-attributes.percentage-snapshot-reserve" as "snapshot-percent-reserved" | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | rename "volume-id-attributes.name" AS "Name", "volume-id-attributes.owning-vserver-name" AS "Vserver", "volume-id-attributes.containing-aggregate-name" AS "Containing Aggregate", "volume-space-attributes.percentage-size-used" AS "Used (%)", "gb-total" AS "Total Space (GB)", "gb-free" AS "Free Space (GB)", "snapshot-percent-reserved" AS "Snapshot Reserve (%)", "host" AS "Host" | table "Name", "Vserver", "Containing Aggregate", "Used (%)", "Total Space (GB)", "Free Space (GB)", "Snapshot Reserve (%)", "Host"
  • Sourcetype that must be present for the view to populate: ontap:volume
Aggregates summary This table displays the name of the Aggregate and other data relating to the usage of the aggregate. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] sourcetype="ontap:aggr" source="aggr-get-iter" | rename aggregate-name as name | dedup name | rename "aggr-space-attributes.percent-used-capacity" as "size-percentage-used" | rename "aggr-volume-count-attributes.flexvol-count" as "volume-count" | rename "aggr-space-attributes.size-total" as sz_total | rename "aggr-space-attributes.size-available" as sz_free | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | rename name AS "Name", volume-count AS "Volume Count", size-percentage-used AS "Used (%)", "gb-total" AS "Total Space (GB)", "gb-free" AS "Free Space (GB)", host AS "Host" | table "Name", "Volume Count", "Used (%)", "Total Space (GB)", "Free Space (GB)", "Host"
  • Sourcetype that must be present for the view to populate: ontap:aggr
Average latency (ms) This chart displays the average latency for the cluster.The following search powers the panel:
  • Search: | tstats avg("NetAppPerformance.Volume_Performance.read_latency_average") AS read_latency_average, avg("NetAppPerformance.Volume_Performance.write_latency_average") AS write_latency_average, avg("NetAppPerformance.Volume_Performance.other_latency_average") AS other_latency_average from datamodel=NetApp_ONTAP where (nodename = NetAppPerformance.Volume_Performance) groupby _time span=5m, host summariesonly=true | search [search `SystemHostname("$name$")`] | eval read_latency_average=read_latency_average/1000 | eval write_latency_average=write_latency_average/1000 | eval other_latency_average=other_latency_average/1000 | timechart span=5m avg(read_latency_average) AS "Read Latency", avg(write_latency_average) as "Write Latency", avg(other_latency_average) as "Other Latency"
Average CPU Busy (%) This chart displays the average CPU usage. The following search powers the panel:
  • Search: | tstats avg("NetAppPerformance.System_Performance.cpu_busy_percent") AS cpu_busy_percent from datamodel=NetApp_ONTAP where (nodename = NetAppPerformance.System_Performance) groupby _time span=5m, host summariesonly=true | search [search `SystemHostname("$name$")`] | timechart avg(cpu_busy_percent) as "Host" by host
Total IOPS rate This chart displays the total I/O request throughput (workload). The following search powers the panel:
  • Search: | tstats avg("NetAppPerformance.Volume_Performance.read_ops_rate") AS read_ops_rate, avg("NetAppPerformance.Volume_Performance.write_ops_rate") AS write_ops_rate, avg("NetAppPerformance.Volume_Performance.other_ops_rate") AS other_ops_rate, avg("NetAppPerformance.Volume_Performance.total_ops_rate") AS total_ops_rate, from datamodel=NetApp_ONTAP where (nodename = NetAppPerformance.Volume_Performance) groupby _time span=5m, host summariesonly=true | search [search `SystemHostname("$name$")`] | timechart span=5m avg(read_ops_rate) AS "Read IOPS Rate", avg(write_ops_rate) as "Write IOPS Rate", avg(other_ops_rate) as "Other IOPS Rate", avg(total_ops_rate) as "Total IOPS Rate"
Capacity (GB) This chart shows the capacity of the cluster in GB. The following search powers the panel:
  • Search: [search `SystemHostname("$name$")`] sourcetype=ontap:volume source="volume-get-iter" | convert num(volume-space-attributes.size-total) as st | convert num(volume-space-attributes.size-available) as sf | eval gb_total=`BytesToGigaBytes(st)` | eval gb_free=`BytesToGigaBytes(sf)` | bucket _time span=30m | rename volume-id-attributes.name as name | table _time, name, gb_total, gb_free | dedup _time, name | stats sum(gb_total) as space_used_total sum(gb_free) as space_used_free by _time | timechart span=30m avg(space_used_total), avg(space_used_free)
  • Sourcetype that must be present for the view to populate: ontap:volume
Volumes with highest latency over the past hour (ms) This table displays the top 10 volumes with the highest latency in the past hour. The following search powers the panel:
  • Search: sourcetype=ontap:perf source=VolumePerfHandler [search `SystemHostname("$name$")`] | eval vserver_name=if(isnull(vserver_name), "", vserver_name) | stats avg(avg_latency_average) as avg_latency_average max(avg_latency_average) as avg_latency_max by host, vserver_name, instance_name | eval avg_latency_average=avg_latency_average/1000 | eval avg_latency_max=avg_latency_max/1000 | sort - avg_latency_max | rename instance_name AS "Volume", host AS "Host", vserver_name AS "Vserver", avg_latency_average as "Average Latency", avg_latency_max as "Max Latency" | head 10
  • Sourcetype that must be present for the view to populate: ontap:perf
Aggregates with the highest transfer rates over the past hour (transfers/S) This table displays the top 10 Aggregates with the highest transfer rates in the past hour. The following search powers the panel:
  • Search: sourcetype=ontap:perf source=AggrPerfHandler [search `SystemHostname("$name$")`] | stats avg(total_transfers_rate) as total_transfers_rate_average max(total_transfers_rate) as total_transfers_rate_max by host,instance_name | eval total_transfers_rate_average=total_transfers_rate_average/1000 | eval total_transfers_rate_max=total_transfers_rate_max/1000 | sort - total_transfers_rate_max | rename instance_name AS "Aggregate", host AS "Host", total_transfers_rate_average AS "Average Transfer Rate", total_transfers_rate_max AS "Max Transfer Rate" | head 10
  • Sourcetype that must be present for the view to populate: ontap:perf
Highest Max User Read Latency Disks over the past hour (ms) This table displays the top 10 disks with the highest Max User Read Latency over the past hour The following search powers the panel:
  • Search: sourcetype=ontap:perf source=DiskPerfHandler [search `SystemHostname("$name$")`] | stats avg(user_read_latency_average) as user_read_latency_average max(user_read_latency_average) as user_read_latency_max first(display_name) as display_name by host, instance_name | eval user_read_latency_average=user_read_latency_average/1000 | eval user_read_latency_max=user_read_latency_max/1000 | sort - user_read_latency_max | rename host AS "Host", display_name AS "Disk", user_read_latency_average AS "Average User Read Latency", user_read_latency_max AS "Max User Read Latency", objname AS "Disk ID" | table "Host", "Disk", "Average User Read Latency", "Max User Read Latency", "Disk ID" | head 10
  • Sourcetype that must be present for the view to populate: ontap:perf

Aggregate Detail

In the Aggregate Detail View, search by providing the IP address for the host and an aggregate name, to display the details of usage for that aggregate. As with all Splunk searches, select a time range over which you want to collect the data for that aggregate. The list of aggregates in your environment is available on the Home Dashboard.

Note that the value of <IP_address> specified in each of the searches below is the actual IP address you provided for the host.

Panel Description
Aggregate Detail This table displays displays the name of the Aggregate and other data relating to the usage of the aggregate. The following search powers the panel:
  • Search: sourcetype="ontap:aggr" (source="aggr-list-info" name="$name$") OR (source="aggr-get-iter" aggregate-name="$name$" ) host="$host$" | `CoalesceAggrFields` | dedup name, host | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | table name, host, volume-count, size-percentage-used, "gb-total", "gb-free" | rename name AS "Aggregate", host AS "Host", volume-count AS "Volumes", size-percentage-used AS "Used (%)", gb-total AS "Total (GB)", gb-free as "Free (GB)"
  • Sourcetype that must be present for the view to populate: ontap:aggr
Associated Volumes This table displays the name of the volumes and the hosts and aggregates to which they relate. The following search powers the panel:
  • Search: sourcetype="ontap:volume" host="$host$" (source="volume-get-iter" OR source="volume-list-info-iter-start") | `CoalesceVolumeFields` | rename name as volume | search "containing-aggregate"="$name$" | dedup "containing-aggregate", host, volume | rename "containing-aggregate" as aggregate | sort aggregate, volume | table volume, host, aggregate | rename volume AS "Volume", host AS "Host", aggregate AS "Aggregate"
  • Sourcetype that must be present for the view to populate: ontap:volume
Associated Disks This table displays disk details for the aggregates and hosts. The following search powers the panel:
  • Search: index=ontap sourcetype=ontap:disk (source=disk-list-info aggregate="$name$") OR (source=storage-disk-get-iter disk-raid-info.disk-aggregate-info.aggregate-name="$name$") host="$host$" | rex field=disk-name "(?<node_name>[^:]+):(?<instance_name>.*?)$" | eval instance_name=if(isnull(instance_name),name,instance_name) | rename disk-name AS disk_name disk-raid-info.disk-aggregate-info.aggregate-name AS dri_aggr_name serial-number AS serial_number disk-type AS disk_type disk-inventory-info.serial-number AS dii_sn disk-inventory-info.disk-type AS dii_dt disk-ownership-info.owner-node-name as dii_hnn | eval name=if(isnull(name),disk_name,name) | eval aggregate=if(isnull(aggregate),dri_aggr_name,aggregate) | eval disk-type=if(isnull(disk_type),dii_dt,disk_type) | eval serial-number=if(isnull(serial_number),dii_sn,serial_number) | eval node-name=if(isnull(node_name),dii_hnn,node_name) | dedup name | rename name as disk | table host, aggregate, disk, disk-type, serial-number, instance_name, node-name | rename host AS "Host", aggregate AS "Aggregate", disk AS "Disk", disk-type AS "Type", serial-number AS "Serial Number", instance_name AS "Name", node-name AS "Node"
  • Sourcetype that must be present for the view to populate: ontap:disk
Aggregate Transfer Rates (OPS/sec) This chart displays the data transfer rates for the aggregate. The following search powers the panel:
  • Search: sourcetype="ontap:perf" source=AggrPerfHandler host="$host$" instance_name="$name$" | timechart first(cp_reads_rate) as cp_reads_rate first(total_transfers_rate) as total_transfers_rate first(user_reads_rate) as user_reads_rate first(user_writes_rate) as user_writes_rate by instance_name
  • Sourcetype that must be present for the view to populate: ontap:perf

Volume Detail

In the Volume Detail view, search by host name and volume name to display the details of usage for a specific volume. As with all Splunk searches select a time range over which you want to collect the data for that volume.

Panel Description
Volume detail This table displays volume detail information including the volume name, the host, the associated aggregate, the storage space available and used, and the amount of storage, as a percent, reserved for snapshot copies. The following search powers the panel:
  • Search: sourcetype="ontap:volume" (source=volume-get-iter volume-id-attributes.name="$name$") OR (source=volume-list-info-iter-start name="$name$") host="$host$" | `CoalesceVolumeFields` | rename "volume-id-attributes.owning-vserver-name" AS vserver | eval pseudovserver=if(isnull(vserver),1,0) | eval vserver=if(pseudovserver==1,host,vserver) | dedup name, vserver, host | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | eval vserver=if(pseudovserver==1,"",vserver) | sort name, vserver, host | rename name AS "Volume", "vserver" AS "Vserver", "host" AS "Host", "containing-aggregate" AS "Aggregate", "percentage-used" AS "Used (%)", "gb-total" AS "Total Space (GB)", "gb-free" AS "Free Space(GB)", snapshot-percent-reserved AS "Snapshot Reserve (%)" | table "Volume", "Vserver", "Host", "Aggregate", "Used (%)", "Total Space (GB)", "Free Space(GB)", "Snapshot Reserve (%)"
  • Sourcetype that must be present for the view to populate: ontap:volume
Associated Aggregates This table displays the aggregates associated with a volume. The following search powers the panel:
  • Search: sourcetype="ontap:volume" (source=volume-get-iter volume-id-attributes.name="$name$") OR (source=volume-list-info-iter-start name="$name$") host="$host$" | `CoalesceVolumeFields` | rename "containing-aggregate" as aggregate | search name="$name$" | dedup name, host | dedup aggregate, host | sort aggregate, host | rename aggregate AS "Aggregate", host AS "Host" | table Aggregate, Host
  • Sourcetype that must be present for the view to populate: ontap:volume
Associated QTrees This table shows the QTrees associated with a volume. The following search powers the panel:
  • Search: sourcetype=ontap:qtree source=qtree-list-iter* (volume="$name$") host="$host$" id!=0 | dedup id, qtree, host | sort host, volume, qtree | rename host AS "Host", volume AS "Volume", id AS "ID", qtree AS "Qtree", oplocks AS "Oplocks", status AS "Status", security-style AS "Security Style" | table "Host", "Volume", "ID", "Qtree", "Oplocks", "Status", "Security Style"
  • Sourcetype that must be present for the view to populate: ontap:qtree
Associated LUNs This table shows the LUNs associated with a volume. The following search powers the panel:
  • Search: sourcetype=ontap:lun (source=lun-get-iter volume="$name$") OR (source=lun-list-info path="/vol/$name$/*") host="$host$" | dedup serial-number,host | rename size-used as used | sort host, path | eval "size_total"=`BytesToGigaBytes(size)` | eval "size_used"=`BytesToGigaBytes(used)` | rename host AS "Host", path AS "Path", serial-number AS "Serial Number", size_total AS "Total Size (GB)", size_used AS "Used Size (GB)" | table "Host", "Path", "Serial Number", "Total Size (GB)", "Used Size (GB)"
  • Sourcetype that must be present for the view to populate: ontap:lun
Selected Volume Latency (ms) This chart displays the latency for a particular volume. The following search powers the panel:
  • Search: | savedsearch "accel_volume_latency_rate" | search host="$host$" instance_name="$name$" | timechart first(avg_latency_average) as avg_latency_average first(other_latency_average) as other_latency_average first(write_latency_average) as write_latency_average first(read_latency_average) as read_latency_average by fullName
  • Sourcetype that must be present for the view to populate: ontap:perf
Data Transfer Rates (B/S) This chart displays the rate of data transfer for the volume. The following search powers the panel:
  • Search: | savedsearch "accel_volume_data_rates" | search host="$host$" instance_name="$name$" | timechart first(read_data_rate) as read_data_rate first(write_data_rate) as write_data_rate by fullName
  • Sourcetype that must be present for the view to populate: ontap:perf
IOPS This chart displays the total disk I/O requests for the volume. The following search powers the panel:
  • Search:| savedsearch "accel_volume_iops" | search host="$host$" instance_name="$name$" | timechart first(total_ops_rate) as total_ops_rate first(write_ops_rate) as write_ops_rate first(read_ops_rate) as read_ops_rate first(other_ops_rate) as other_ops_rate by fullName
  • Sourcetype that must be present for the view to populate: ontap:perf
Number of Block Operations Per Second This chart displays the read and write operations on a block. The following search powers the panel:
  • Search:| savedsearch "accel_volume_block_ops" | search host="$host$" instance_name="$name$" | timechart first(read_blocks_rate) as read_blocks_rate first(write_blocks_rate) as write_blocks_rate by fullName
  • Sourcetype that must be present for the view to populate: ontap:perf

Disk Detail

In the Disk Detail View, search by IP address of the host and the disk label to display the usage details for a specific disk. As with all Splunk searches, select a time range over which you want to collect the data for that disk. You can perform a general search using "*" as the value in both the host and Disk Lablel fields, or you can filter your search to a specific host, or search for a specific disk label on a host.

Panel Description
Disk Detail This table shows the details for the disk instance (identified by the Disk Label). The following search powers the panel:
  • Search: index=ontap (source=storage-disk-get-iter disk-name="*$name$") OR (source=disk-list-info name="$name$") host="$host$" | rex field=disk-name "(?<node_name>[^:]+):(?<instance_name>.*?)$" | eval instance_name=if(isnull(instance_name),name,instance_name) | rename disk-name AS disk_name disk-model AS disk_model disk-type AS disk_type disk-inventory-info.model AS dii_model disk-inventory-info.disk-type AS dii_dt disk-ownership-info.owner-node-name as dii_hnn | eval disk-name=if(isnull(disk_name),name,disk_name) | eval disk-model=if(isnull(dii_model),disk_model,dii_model) | eval disk-type=if(isnull(disk_type),dii_dt,disk_type) | eval node-name=if(isnull(node_name),dii_hnn,node_name) | dedup disk-name, host | table disk-name,node-name,host,instance_name,disk-model,disk-type | rename disk-name AS "Disk", node-name AS "Node", host as "Host", instance_name as "Name", disk-model as "Model", disk-type as "Type"
Selected Disk Latency (ms) This chart displays the read latency for the selected disk. The following search powers the panel:
  • Search: sourcetype=ontap:perf source=DiskPerfHandler host="*" (instance_name="v1.28" OR display_name="v1.28") | eval disk-name=if(isnull(display_name),instance_name,display_name)| timechart first(read_latency) as read_latency first(write_latency) as write_latency first(eval(cp_read_latency_average/1000)) as cp_read_latency by disk-name
  • Sourcetype that must be present for the view to populate: ontap:perf
Data Transfer Rates (Blocks/S) This chart displays the rate of data transfer on the disk in blocks per second. The following search powers the panel:
  • Search: sourcetype=ontap:perf source=DiskPerfHandler host="$host$" (instance_name="$name$" OR display_name="$name$") | eval disk-name=if(isnull(display_name),instance_name,display_name) | timechart first(user_read_blocks_rate) as user_read_blocks_rate first(user_write_blocks_rate) as user_write_blocks_rate first(skip_blocks_rate) as skip_blocks_rate by disk-name
  • Sourcetype that must be present for the view to populate: ontap:perf
Disk Busy Percent This chart displays the disk usage rate. The following search powers the panel:
  • Search: sourcetype=ontap:perf source=DiskPerfHandler host="$host$" (instance_name="$name$" OR display_name="$name$") | eval disk-name=if(isnull(display_name),instance_name,display_name) | timechart first(disk_busy_percent) as disk_busy_percent by disk-name
  • Sourcetype that must be present for the view to populate: ontap:perf

QTree Detail

In the QTree Detail View, search by IP address of the host, the volume name, and the QTree name to display the usage details for a specific QTree. As with all Splunk searches, select a time range over which you want to collect the data for that QTree. You can perform a general search using "*" as the value in the fields or you can filter your search to a specific QTree. Note that QTree statistics are available only when the volume containing the qtree is online.

Panel Description
QTree Inventory Detail This table displays the QTree details including the volume to which it belongs, the host on which it resides, and the status of the QTree among other details. The following search powers the panel:
  • Search: sourcetype=ontap:qtree source=qtree-list-iter* volume="*groups" id!=0 qtree="*itops" host="<host_name>" | dedup id,qtree,volume,host | table id,qtree,volume,host,status,oplocks,security-style,vserver
  • Sourcetype that must be present for the view to populate: ontap:qtree
QTree OPS (Operations/Second) This chart displays the number of operations performed by the QTree per second. This includes the number of CIFS and NFS calls received and the number of internal operations. The following search powers the panel:
  • Search: sourcetype=ontap:perf source=QtreePerfHandler host="<host_name>" objname="*groups/*itops" | timechart first(cifs_ops_rate) as cifs_ops_rate first(nfs_ops_rate) as nfs_ops_rate first(internal_ops_rate) as internal_ops_rate by objname
  • Sourcetype that must be present for the view to populate: ontap:perf

LUN Detail

In the LUN Detail View, search by IP address or the name of the host and the LUN name (the path to the LUN) to display the usage details for a specific LUN. As with all Splunk searches, select a time range over which you want to collect the data for that LUN. You can perform a general search using "*" as the value in the fields, or you can filter your search to a specific LUN on a specific volume.

Note that the value of <IP_address> and <path> specified in each of the searches below are the actual values you provided as search criteria.

Panel Description
LUN Inventory Detail This table displays the serial number that identifies the LUN, the path on the volume to the LUN, the status of the LUN, the amount of space in GB available and the amount of space used. The following search powers the panel:
  • Search: sourcetype=ontap:lun ((source=lun-get-iter) OR (source=lun-list-info)) host="<IP_address>" path="<path>" | dedup serial-number,host | rename size-used as used | eval "size_total"=`BytesToGigaBytes(size)` | eval "size_used"=`BytesToGigaBytes(used)` | table serial-number, path, online, size_total, size_used, host, vserver, volume | rename size_total AS "size (GB)" size_used as "size used (GB)"
  • Sourcetype that must be present for the view to populate: ontap:lun
LUN Latency (ms) This chart displays the average read and write latency in milliseconds for all operations on the LUN. The following search powers the panel:
  • Search: sourcetype=ontap:perf source=LunPerfHandler host="<IP_address>" objname="<path>" | timechart first(avg_latency_average) as avg_latency_average first(avg_read_latency_average) as avg_read_latency_average first(avg_write_latency_average) as avg_write_latency_average by objname
  • Sourcetype that must be present for the view to populate: ontap:perf
LUN IOPS (Operations/Second) This chart displays the number of read and write operations on the LUN. The following search powers the panel:
  • Search: sourcetype=ontap:perf source=LunPerfHandler host="<IP_address>" objname="<path>" | timechart first(total_ops_rate) as total_ops_rate first(read_ops_rate) as read_ops_rate first(write_ops_rate) as write_ops_rate by objname
  • Sourcetype that must be present for the view to populate: ontap:perf
Last modified on 20 June, 2018
Home dashboard   Reports

This documentation applies to the following versions of Splunk® App for NetApp Data ONTAP (EOL): 2.1.8, 2.1.91


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters