Splunk® Supporting Add-on for NetApp

Deploy and use the Splunk Supporting Add-on for NetApp

On January 20, 2023, the Splunk Supporting Add-on for NetApp will reach its end of life and Splunk will no longer maintain or develop this product.

Dashboard reference for the Splunk Supporting Add-on for NetApp

The following dashboards are available in the Splunk Supporting Add-on for NetApp.

ONTAP System Health

The ONTAP System Health dashboard in the Splunk Supporting Add-on for NetApp is the place to confirm that you set up and configured your environment correctly.

In Splunk Web, click Home to display this dashboard. Wait for 10 to 15 minutes after configuring the app for the views to populate before you troubleshoot the app, as it can take this long for field values in the dashboards to get assigned correctly.

Panel Description
7-Mode Controllers Overview This view provides a window into the number of 7-mode filers that you have configured to work with the app and from which you collect data. it provides performance details on a per filer basis. Click the data provided for a filer to drill down to the detailed filer view page. The following search powers the panel:

`ontap-index` (sourcetype=ontap:perf source="SystemPerfHandler") OR (sourcetype=ontap:system source="system-get-info") OR (sourcetype=ontap:system source="system-get-version") earliest=-4h latest=now | append [search `CapacityByHost`] | stats first(*) as *, first(_time) as _time by host | rename is-clustered AS is_clustered |table _time, host, system-name, gb_used, gb_total, percent_used, total_processor_busy_percent, disk_data_read_rate, disk_data_written_rate, total_ops_rate, net_data_*_rate, ontap_version, partner-system-name, system-serial-number,vendor-id,is_clustered | search NOT is_clustered=true | `unitize`

The following source types must be present for the view to populate: ontap:perf and ontap:system.

Cluster Mode Controllers Overview This view provides a window into the number of cluster-mode filers that you have configured to work with the app and from which you collect data. it provides performance details for each cluster. Click the data provided for a cluster to drill down to the detailed cluster view page. The following search powers the panel:

`ontap-index` (sourcetype=ontap:perf source="SystemPerfHandler") OR (sourcetype=ontap:system source="system-get-info") OR (sourcetype=ontap:system source="system-get-version") OR (sourcetype=ontap:system source=system-node-get-iter) earliest=-4h latest=now | append [search `CapacityByHost`] | stats first(*) as *, first(_time) as _time, values(node) as cluster_node_list by host | rename is-clustered AS is_clustered |table _time, host, cluster_node_list, gb_used, gb_total, percent_used, total_processor_busy_percent, disk_data_read_rate, disk_data_written_rate, total_ops_rate, net_data_*_rate, ontap_version, partner-system-name, system-serial-number,vendor-id,is_clustered | search is_clustered=true | `unitize`

The following source types must be present for the view to populate: ontap:perf and ontap:system.

Inventory counts Displays the total number of aggregates, disks, volumes, and LUNs in your environment.
Aggregates with the highest transfer rates over the past 4 hours (transfers/S) This view shows the top ten aggregates with the highest transfer rates over the last four hours. The listed is sorted displayed the aggregate with the most transfer operations per second at the top of the list.

`ontap-index` sourcetype=ontap:perf source=AggrPerfHandler | stats avg(total_transfers_rate) as total_transfers_rate_average max(total_transfers_rate) as total_transfers_rate_max by host,objname | eval total_transfers_rate_average=total_transfers_rate_average/1000| eval total_transfers_rate_max=total_transfers_rate_max/1000 | sort - total_transfers_rate_max |rename objname AS aggregate | head 10

The following source type must be present for the view to populate: ontap:perf

Volumes with highest latency over the past 4 hours (ms) - sourcetype=ontap:perf For most applications the latency request on a volume is important. This view shows the volumes that have experienced the slowest storage performance over the last four hours. The following search powers the panel:

`ontap-index` source=VolumePerfHandler | stats avg(avg_latency_average) as avg_latency_average max(avg_latency_average) as avg_latency_max by host,objname | eval avg_latency_average=avg_latency_average/1000| eval avg_latency_max=avg_latency_max/1000 | sort - avg_latency_max | rename objname AS volume | head 10

The following source type must be present for the view to populate: ontap:perf

LUNs with highest latency over the past 4 hours (ms) - sourcetype=ontap:perf This view shows the LUNs that have experienced the slowest performance (response to an I/O request) over the last four hours. This number is based on an average value. The following search powers the panel:

`ontap-index` source=VolumePerfHandler | stats avg(avg_latency_average) as avg_latency_average max(avg_latency_average) as avg_latency_max by host,objname | eval avg_latency_average=avg_latency_average/1000| eval avg_latency_max=avg_latency_max/1000 | sort - avg_latency_max | rename objname AS volume | head 10

The following source type must be present for the view to populate: ontap:perf

Highest Max User Read Latency Disks over the past 4 hours (ms) This view shows the disks that have experienced the slowest performance (response to an I/O request) over the last four hours. This number is based on an average value. Disk latency depends on the application and its requirements. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=DiskPerfHandler | stats avg(user_read_latency_average) as user_read_latency_average max(user_read_latency_average) as user_read_latency_max first(display_name) as display_name by host,objname | eval user_read_latency_average=user_read_latency_average/1000| eval user_read_latency_max=user_read_latency_max/1000 | sort - user_read_latency_max | table host,display_name,user_read_latency*,objname | rename display_name as disk | head 10

The following source type must be present for the view to populate: ontap:perf

Syslog Errors or Warnings in the past 4 hours This is a list of warning and error messages received from attempts to get syslog data. The following search powers the panel:

`ontap-index` sourcetype="ontap:syslog" (error OR warning)

The following source type must be present for the view to populate: ontap:syslog

Controller View

In the Controller View, search by filer name to display the details of usage for that filer. As with all Splunk searches, select a time range over which you want to collect the data for that filer. You can search using the host name or the system name. The list of filers in your environment is available on the Home dashboard.

Panel Description
Memory This is the amount of available memory in MB on the filer. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] source="system-get-info" |eval memory-size = 'memory-size'." "."MB" | head 1| table memory-size

CPUs This is the number of CPUs on that host. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] source="system-get-info" | head 1| table number-of-processors

Host This is the IP address of the host. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] source="system-get-info" | head 1| table host

Volumes contained This is the number of volumes on the filer. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] sourcetype="ontap:volume" source="volume-list-info-iter-start" | stats dc(name)

The following source type must be present for the view to populate: ontap:volume

Aggregates contained This panel displays the number of aggregates on the filer. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] sourcetype="ontap:aggr" source="aggr-list-info" | stats dc(name)

The following source type must be present for the view to populate: ontap:aggr

Volumes summary This panel displays the name of the volume and other data relating to the usage of the volume. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] sourcetype="ontap:volume" source="volume-list-info-iter-start" | dedup name | rename "size-total" as sz_total | rename "size-available" as sz_free | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | table name, containing-aggregate, disk-count, percentage-used, "gb-total", "gb-free", snapshot-percent-reserved, host | rename name AS "Volume", containing-aggregate AS "Aggregate", disk-count AS "Disks", percentage-used AS "Used (%)", gb-total AS "Total (GB)", gb-free AS "Free (GB)", snapshot-percent-reserved AS "Snapshot Reserve (%)", host AS "Host"

The following source type must be present for the view to populate: ontap:volume

Aggregates summary This panel displays the name of the Aggregate and other data relating to the usage of the aggregate. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] sourcetype="ontap:aggr" source="aggr-list-info" | dedup name | rename "size-total" as sz_total | rename "size-available" as sz_free | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | table name, volume-count, size-percentage-used, "gb-total", "gb-free", host | rename name AS "Aggregate", volume-count AS "Volumes", size-percentage-used AS "Used (%)", gb-total AS "Total (GB)", gb-free AS "Free (GB)", host AS "Host"

Average latency (ms) This chart shows the average latency in milliseconds. The following search powers the panel:

| tstats avg("NetAppPerformance.Volume_Performance.read_latency_average") AS read_latency_average, avg("NetAppPerformance.Volume_Performance.write_latency_average") AS write_latency_average, avg("NetAppPerformance.Volume_Performance.other_latency_average") AS other_latency_average from datamodel=NetApp_ONTAP where (nodename = NetAppPerformance.Volume_Performance) groupby _time span=5m, host summariesonly=true | search [search `SystemHostname("$name$")`] | eval read_latency_average=read_latency_average/1000 | eval write_latency_average=write_latency_average/1000 | eval other_latency_average=other_latency_average/1000 | timechart span=5m avg(read_latency_average) AS "Read Latency", avg(write_latency_average) as "Write Latency", avg(other_latency_average) as "Other Latency"

Average CPU Busy (%) This chart shows the amount of CPU used as a percent. The following search powers the panel:

| tstats avg("NetAppPerformance.System_Performance.cpu_busy_percent") AS cpu_busy_percent from datamodel=NetApp_ONTAP where (nodename = NetAppPerformance.System_Performance) groupby _time span=5m, host summariesonly=true | search [search `SystemHostname("$name$")`] | timechart avg(cpu_busy_percent) as "Host" by host

Capacity (GB) This chart shows the capacity used in GB. The following search powers the panel:

`ontap-index` [search `SystemHostname("<IP_address>")`] sourcetype=ontap:volume source="volume-list-info-iter-start" | convert num(size-total) as st | convert num(size-available) as sf | eval "gb-total"=`BytesToGigaBytes(st)` | eval "gb-free"=`BytesToGigaBytes(sf)` | bucket _time span=30m | table _time, name, "gb-total", "gb-free" | dedup _time, name | stats sum("gb-total") as space_used_total sum("gb-free") as space_used_free by _time | timechart span=30m avg(space_used_total) as "total space", avg(space_used_free) as "free space" by host

Volumes with highest latency over the past hour (ms) This view shows the volumes with highest latency. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=VolumePerfHandler [search `SystemHostname("$name$")`] | stats avg(avg_latency_average) as avg_latency_average max(avg_latency_average) as avg_latency_max by host,instance_name | eval avg_latency_average=avg_latency_average/1000 | eval avg_latency_max=avg_latency_max/1000 | sort - avg_latency_max | rename instance_name AS "Volume", host AS "Host", avg_latency_average AS "Average Latency", avg_latency_max AS "Max Latency" | head 10

The following source type must be present for the view to populate: ontap:perf

Aggregates with the highest transfer rates over the past hour (transfers/S) This view shows the aggregates with the highest transfer rates over the past hour. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=AggrPerfHandler [search `SystemHostname("$name$")`] | stats avg(total_transfers_rate) as total_transfers_rate_average max(total_transfers_rate) as total_transfers_rate_max by host,instance_name | eval total_transfers_rate_average=total_transfers_rate_average/1000 | eval total_transfers_rate_max=total_transfers_rate_max/1000 | sort - total_transfers_rate_max | rename instance_name AS "Aggregate", host AS "Host", total_transfers_rate_average as "Average Transfer Rate", total_transfers_rate_max as "Max Transfer Rate" | head 10

The following source type must be present for the view to populate: ontap:perf

Highest Max User Read Latency Disks over the past hour (ms) This view shows the highest max user read latency disks over the past hour. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=DiskPerfHandler [search `SystemHostname("$name$")`] | stats avg(user_read_latency_average) as user_read_latency_average max(user_read_latency_average) as user_read_latency_max first(display_name) as display_name by host,instance_name | eval user_read_latency_average=user_read_latency_average/1000 | eval user_read_latency_max=user_read_latency_max/1000 | sort - user_read_latency_max | table host, display_name, user_read_latency* | rename display_name as "Disk", host as "Host", user_read_latency_average as "Average Latency", user_read_latency_max as "Max Latency" | head 10

The following source type must be present for the view to populate: ontap:perf

Cluster View

In the Cluster View, search by cluster name to display the details of usage for that NetApp cluster. As with all Splunk searches, select a time range over which you want to collect the data for that cluster. You can search using the host IP address or the "cluster_node_list". The list of cluster mode filers in your environment is available on the Home Dashboard.

Panel Description
Number of nodes This panel displays the number of nodes in the cluster. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] source="cluster-node-get-iter" | stats dc(node-name) as num_nodes

Number of vservers This panel displays the number of virtual servers in the cluster. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] vserver-type="data" | stats dc(vserver-name)

Cluster management server This panel provides the IP address of the cluster management server. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] source="cluster-identity-get" | head 1| table host

Volumes contained This panel displays the number of volumes in the cluster. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] source="volume-get-iter" | stats dc(volume-id-attributes.uuid)

Aggregates contained This panel displays the number of Aggregates in the cluster. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] source="aggr-get-iter" | stats dc(aggregate-uuid)

Volumes summary This table displays the name of the Volume and other data relating to the usage of the volume. .... The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] sourcetype="ontap:volume" source="volume-get-iter" | dedup "volume-id-attributes.uuid" | rename "volume-space-attributes.size-total" as sz_total "volume-space-attributes.size-available" as sz_free "volume-space-attributes.percentage-snapshot-reserve" as "snapshot-percent-reserved" | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | rename "volume-id-attributes.name" AS "Name", "volume-id-attributes.owning-vserver-name" AS "Vserver", "volume-id-attributes.containing-aggregate-name" AS "Containing Aggregate", "volume-space-attributes.percentage-size-used" AS "Used (%)", "gb-total" AS "Total Space (GB)", "gb-free" AS "Free Space (GB)", "snapshot-percent-reserved" AS "Snapshot Reserve (%)", "host" AS "Host" | table "Name", "Vserver", "Containing Aggregate", "Used (%)", "Total Space (GB)", "Free Space (GB)", "Snapshot Reserve (%)", "Host"

The following source type must be present for the view to populate: ontap:volume

Aggregates summary This table displays the name of the Aggregate and other data relating to the usage of the aggregate. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] sourcetype="ontap:aggr" source="aggr-get-iter" | rename aggregate-name as name | dedup name | rename "aggr-space-attributes.percent-used-capacity" as "size-percentage-used" | rename "aggr-volume-count-attributes.flexvol-count" as "volume-count" | rename "aggr-space-attributes.size-total" as sz_total | rename "aggr-space-attributes.size-available" as sz_free | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | rename name AS "Name", volume-count AS "Volume Count", size-percentage-used AS "Used (%)", "gb-total" AS "Total Space (GB)", "gb-free" AS "Free Space (GB)", host AS "Host" | table "Name", "Volume Count", "Used (%)", "Total Space (GB)", "Free Space (GB)", "Host"

The following source type must be present for the view to populate: ontap:aggr

Average latency (ms) This chart displays the average latency for the cluster.The following search powers the panel:

| tstats avg("NetAppPerformance.Volume_Performance.read_latency_average") AS read_latency_average, avg("NetAppPerformance.Volume_Performance.write_latency_average") AS write_latency_average, avg("NetAppPerformance.Volume_Performance.other_latency_average") AS other_latency_average from datamodel=NetApp_ONTAP where (nodename = NetAppPerformance.Volume_Performance) groupby _time span=5m, host summariesonly=true | search [search `SystemHostname("$name$")`] | eval read_latency_average=read_latency_average/1000 | eval write_latency_average=write_latency_average/1000 | eval other_latency_average=other_latency_average/1000 | timechart span=5m avg(read_latency_average) AS "Read Latency", avg(write_latency_average) as "Write Latency", avg(other_latency_average) as "Other Latency"

Average CPU Busy (%) This chart displays the average CPU usage. The following search powers the panel:

| tstats avg("NetAppPerformance.System_Performance.cpu_busy_percent") AS cpu_busy_percent from datamodel=NetApp_ONTAP where (nodename = NetAppPerformance.System_Performance) groupby _time span=5m, host summariesonly=true | search [search `SystemHostname("$name$")`] | timechart avg(cpu_busy_percent) as "Host" by host

Total IOPS rate This chart displays the total I/O request throughput (workload). The following search powers the panel:

| tstats avg("NetAppPerformance.Volume_Performance.read_ops_rate") AS read_ops_rate, avg("NetAppPerformance.Volume_Performance.write_ops_rate") AS write_ops_rate, avg("NetAppPerformance.Volume_Performance.other_ops_rate") AS other_ops_rate, avg("NetAppPerformance.Volume_Performance.total_ops_rate") AS total_ops_rate, from datamodel=NetApp_ONTAP where (nodename = NetAppPerformance.Volume_Performance) groupby _time span=5m, host summariesonly=true | search [search `SystemHostname("$name$")`] | timechart span=5m avg(read_ops_rate) AS "Read IOPS Rate", avg(write_ops_rate) as "Write IOPS Rate", avg(other_ops_rate) as "Other IOPS Rate", avg(total_ops_rate) as "Total IOPS Rate"

Capacity (GB) This chart shows the capacity of the cluster in GB. The following search powers the panel:

`ontap-index` [search `SystemHostname("$name$")`] sourcetype=ontap:volume source="volume-get-iter" | convert num(volume-space-attributes.size-total) as st | convert num(volume-space-attributes.size-available) as sf | eval gb_total=`BytesToGigaBytes(st)` | eval gb_free=`BytesToGigaBytes(sf)` | bucket _time span=30m | rename volume-id-attributes.name as name | table _time, name, gb_total, gb_free | dedup _time, name | stats sum(gb_total) as space_used_total sum(gb_free) as space_used_free by _time | timechart span=30m avg(space_used_total), avg(space_used_free)

The following source type must be present for the view to populate: ontap:volume

Volumes with highest latency over the past hour (ms) This table displays the top 10 volumes with the highest latency in the past hour. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=VolumePerfHandler [search `SystemHostname("$name$")`] | eval vserver_name=if(isnull(vserver_name), "", vserver_name) | stats avg(avg_latency_average) as avg_latency_average max(avg_latency_average) as avg_latency_max by host, vserver_name, instance_name | eval avg_latency_average=avg_latency_average/1000 | eval avg_latency_max=avg_latency_max/1000 | sort - avg_latency_max | rename instance_name AS "Volume", host AS "Host", vserver_name AS "Vserver", avg_latency_average as "Average Latency", avg_latency_max as "Max Latency" | head 10

The following source type must be present for the view to populate: ontap:perf

Aggregates with the highest transfer rates over the past hour (transfers/S) This table displays the top 10 Aggregates with the highest transfer rates in the past hour. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=AggrPerfHandler [search `SystemHostname("$name$")`] | stats avg(total_transfers_rate) as total_transfers_rate_average max(total_transfers_rate) as total_transfers_rate_max by host,instance_name | eval total_transfers_rate_average=total_transfers_rate_average/1000 | eval total_transfers_rate_max=total_transfers_rate_max/1000 | sort - total_transfers_rate_max | rename instance_name AS "Aggregate", host AS "Host", total_transfers_rate_average AS "Average Transfer Rate", total_transfers_rate_max AS "Max Transfer Rate" | head 10

The following source type must be present for the view to populate: ontap:perf

Highest Max User Read Latency Disks over the past hour (ms) This table displays the top 10 disks with the highest Max User Read Latency over the past hour The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=DiskPerfHandler [search `SystemHostname("$name$")`] | stats avg(user_read_latency_average) as user_read_latency_average max(user_read_latency_average) as user_read_latency_max first(display_name) as display_name by host, instance_name | eval user_read_latency_average=user_read_latency_average/1000 | eval user_read_latency_max=user_read_latency_max/1000 | sort - user_read_latency_max | rename host AS "Host", display_name AS "Disk", user_read_latency_average AS "Average User Read Latency", user_read_latency_max AS "Max User Read Latency", objname AS "Disk ID" | table "Host", "Disk", "Average User Read Latency", "Max User Read Latency", "Disk ID" | head 10

The following source type must be present for the view to populate: ontap:perf

Aggregate Detail

In the Aggregate Detail View, search by providing the IP address for the host and an aggregate name, to display the details of usage for that aggregate. As with all Splunk searches, select a time range over which you want to collect the data for that aggregate. The list of aggregates in your environment is available on the Home Dashboard.

Note that the value of <IP_address> specified in each of the searches below is the actual IP address you provided for the host.

Panel Description
Aggregate Detail This table displays displays the name of the Aggregate and other data relating to the usage of the aggregate. The following search powers the panel:

`ontap-index` sourcetype="ontap:aggr" (source="aggr-list-info" name="$name$") OR (source="aggr-get-iter" aggregate-name="$name$" ) host="$host$" | `CoalesceAggrFields` | dedup name, host | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | table name, host, volume-count, size-percentage-used, "gb-total", "gb-free" | rename name AS "Aggregate", host AS "Host", volume-count AS "Volumes", size-percentage-used AS "Used (%)", gb-total AS "Total (GB)", gb-free as "Free (GB)"

The following source type must be present for the view to populate: ontap:aggr

Associated Volumes This table displays the name of the volumes and the hosts and aggregates to which they relate. The following search powers the panel:

`ontap-index` sourcetype="ontap:volume" host="$host$" (source="volume-get-iter" OR source="volume-list-info-iter-start") | `CoalesceVolumeFields` | rename name as volume | search "containing-aggregate"="$name$" | dedup "containing-aggregate", host, volume | rename "containing-aggregate" as aggregate | sort aggregate, volume | table volume, host, aggregate | rename volume AS "Volume", host AS "Host", aggregate AS "Aggregate"

The following source type must be present for the view to populate: ontap:volume

Associated Disks This table displays disk details for the aggregates and hosts. The following search powers the panel:

`ontap-index` sourcetype=ontap:disk (source=disk-list-info aggregate="$name$") OR (source=storage-disk-get-iter disk-raid-info.disk-aggregate-info.aggregate-name="$name$") host="$host$" | rex field=disk-name "(?<node_name>[^:]+):(?<instance_name>.*?)$" | eval instance_name=if(isnull(instance_name),name,instance_name) | rename disk-name AS disk_name disk-raid-info.disk-aggregate-info.aggregate-name AS dri_aggr_name serial-number AS serial_number disk-type AS disk_type disk-inventory-info.serial-number AS dii_sn disk-inventory-info.disk-type AS dii_dt disk-ownership-info.owner-node-name as dii_hnn | eval name=if(isnull(name),disk_name,name) | eval aggregate=if(isnull(aggregate),dri_aggr_name,aggregate) | eval disk-type=if(isnull(disk_type),dii_dt,disk_type) | eval serial-number=if(isnull(serial_number),dii_sn,serial_number) | eval node-name=if(isnull(node_name),dii_hnn,node_name) | dedup name | rename name as disk | table host, aggregate, disk, disk-type, serial-number, instance_name, node-name | rename host AS "Host", aggregate AS "Aggregate", disk AS "Disk", disk-type AS "Type", serial-number AS "Serial Number", instance_name AS "Name", node-name AS "Node"

The following source type must be present for the view to populate: ontap:disk

Aggregate Transfer Rates (OPS/sec) This chart displays the data transfer rates for the aggregate. The following search powers the panel:

`ontap-index` sourcetype="ontap:perf" source=AggrPerfHandler host="$host$" instance_name="$name$" | timechart first(cp_reads_rate) as cp_reads_rate first(total_transfers_rate) as total_transfers_rate first(user_reads_rate) as user_reads_rate first(user_writes_rate) as user_writes_rate by instance_name

The following source type must be present for the view to populate: ontap:perf

Volume Detail

In the Volume Detail view, search by host name and volume name to display the details of usage for a specific volume. As with all Splunk searches select a time range over which you want to collect the data for that volume.

Panel Description
Volume detail This table displays volume detail information including the volume name, the host, the associated aggregate, the storage space available and used, and the amount of storage, as a percent, reserved for snapshot copies. The following search powers the panel:

`ontap-index` sourcetype="ontap:volume" (source=volume-get-iter volume-id-attributes.name="$name$") OR (source=volume-list-info-iter-start name="$name$") host="$host$" | `CoalesceVolumeFields` | rename "volume-id-attributes.owning-vserver-name" AS vserver | eval pseudovserver=if(isnull(vserver),1,0) | eval vserver=if(pseudovserver==1,host,vserver) | dedup name, vserver, host | eval "gb-total"=`BytesToGigaBytes(sz_total)` | eval "gb-free"=`BytesToGigaBytes(sz_free)` | eval vserver=if(pseudovserver==1,"",vserver) | sort name, vserver, host | rename name AS "Volume", "vserver" AS "Vserver", "host" AS "Host", "containing-aggregate" AS "Aggregate", "percentage-used" AS "Used (%)", "gb-total" AS "Total Space (GB)", "gb-free" AS "Free Space(GB)", snapshot-percent-reserved AS "Snapshot Reserve (%)" | table "Volume", "Vserver", "Host", "Aggregate", "Used (%)", "Total Space (GB)", "Free Space(GB)", "Snapshot Reserve (%)"

The following source type must be present for the view to populate: ontap:volume

Associated Aggregates This table displays the aggregates associated with a volume. The following search powers the panel:

`ontap-index` sourcetype="ontap:volume" (source=volume-get-iter volume-id-attributes.name="$name$") OR (source=volume-list-info-iter-start name="$name$") host="$host$" | `CoalesceVolumeFields` | rename "containing-aggregate" as aggregate | search name="$name$" | dedup name, host | dedup aggregate, host | sort aggregate, host | rename aggregate AS "Aggregate", host AS "Host" | table Aggregate, Host

The following source type must be present for the view to populate: ontap:volume

Associated QTrees This table shows the QTrees associated with a volume. The following search powers the panel:

`ontap-index` sourcetype=ontap:qtree source=qtree-list-iter* (volume="$name$") host="$host$" id!=0 | dedup id, qtree, host | sort host, volume, qtree | rename host AS "Host", volume AS "Volume", id AS "ID", qtree AS "Qtree", oplocks AS "Oplocks", status AS "Status", security-style AS "Security Style" | table "Host", "Volume", "ID", "Qtree", "Oplocks", "Status", "Security Style"

The following source type must be present for the view to populate: ontap:qtree

Associated LUNs This table shows the LUNs associated with a volume. The following search powers the panel:

`ontap-index` sourcetype=ontap:lun (source=lun-get-iter volume="$name$") OR (source=lun-list-info path="/vol/$name$/*") host="$host$" | dedup serial-number,host | rename size-used as used | sort host, path | eval "size_total"=`BytesToGigaBytes(size)` | eval "size_used"=`BytesToGigaBytes(used)` | rename host AS "Host", path AS "Path", serial-number AS "Serial Number", size_total AS "Total Size (GB)", size_used AS "Used Size (GB)" | table "Host", "Path", "Serial Number", "Total Size (GB)", "Used Size (GB)"

The following source type must be present for the view to populate: ontap:lun

Selected Volume Latency (ms) This chart displays the latency for a particular volume. The following search powers the panel:

| savedsearch "accel_volume_latency_rate" | search host="$host$" instance_name="$name$" | timechart first(avg_latency_average) as avg_latency_average first(other_latency_average) as other_latency_average first(write_latency_average) as write_latency_average first(read_latency_average) as read_latency_average by fullName

The following source type must be present for the view to populate: ontap:perf

Data Transfer Rates (B/S) This chart displays the rate of data transfer for the volume. The following search powers the panel:

| savedsearch "accel_volume_data_rates" | search host="$host$" instance_name="$name$" | timechart first(read_data_rate) as read_data_rate first(write_data_rate) as write_data_rate by fullName

The following source type must be present for the view to populate: ontap:perf

IOPS This chart displays the total disk I/O requests for the volume. The following search powers the panel:

| savedsearch "accel_volume_iops" | search host="$host$" instance_name="$name$" | timechart first(total_ops_rate) as total_ops_rate first(write_ops_rate) as write_ops_rate first(read_ops_rate) as read_ops_rate first(other_ops_rate) as other_ops_rate by fullName

The following source type must be present for the view to populate: ontap:perf

Number of Block Operations Per Second This chart displays the read and write operations on a block. The following search powers the panel:

| savedsearch "accel_volume_block_ops" | search host="$host$" instance_name="$name$" | timechart first(read_blocks_rate) as read_blocks_rate first(write_blocks_rate) as write_blocks_rate by fullName

The following source type must be present for the view to populate: ontap:perf

Disk Details

In the Disk Detail View, search by IP address of the host and the disk label to display the usage details for a specific disk. As with all Splunk searches, select a time range over which you want to collect the data for that disk. You can perform a general search using "*" as the value in both the host and Disk Lablel fields, or you can filter your search to a specific host, or search for a specific disk label on a host.

Panel Description
Disk Detail This table shows the details for the disk instance (identified by the Disk Label). The following search powers the panel:

`ontap-index` (source=storage-disk-get-iter disk-name="*$name$") OR (source=disk-list-info name="$name$") host="$host$" | rex field=disk-name "(?<node_name>[^:]+):(?<instance_name>.*?)$" | eval instance_name=if(isnull(instance_name),name,instance_name) | rename disk-name AS disk_name disk-model AS disk_model disk-type AS disk_type disk-inventory-info.model AS dii_model disk-inventory-info.disk-type AS dii_dt disk-ownership-info.owner-node-name as dii_hnn | eval disk-name=if(isnull(disk_name),name,disk_name) | eval disk-model=if(isnull(dii_model),disk_model,dii_model) | eval disk-type=if(isnull(disk_type),dii_dt,disk_type) | eval node-name=if(isnull(node_name),dii_hnn,node_name) | dedup disk-name, host | table disk-name,node-name,host,instance_name,disk-model,disk-type | rename disk-name AS "Disk", node-name AS "Node", host as "Host", instance_name as "Name", disk-model as "Model", disk-type as "Type"

Selected Disk Latency (ms) This chart displays the read latency for the selected disk. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=DiskPerfHandler host="*" (instance_name="v1.28" OR display_name="v1.28") | eval disk-name=if(isnull(display_name),instance_name,display_name)| timechart first(read_latency) as read_latency first(write_latency) as write_latency first(eval(cp_read_latency_average/1000)) as cp_read_latency by disk-name

The following source type must be present for the view to populate: ontap:perf

Data Transfer Rates (Blocks/S) This chart displays the rate of data transfer on the disk in blocks per second. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=DiskPerfHandler host="$host$" (instance_name="$name$" OR display_name="$name$") | eval disk-name=if(isnull(display_name),instance_name,display_name) | timechart first(user_read_blocks_rate) as user_read_blocks_rate first(user_write_blocks_rate) as user_write_blocks_rate first(skip_blocks_rate) as skip_blocks_rate by disk-name

The following source type must be present for the view to populate: ontap:perf

Disk Busy Percent This chart displays the disk usage rate. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=DiskPerfHandler host="$host$" (instance_name="$name$" OR display_name="$name$") | eval disk-name=if(isnull(display_name),instance_name,display_name) | timechart first(disk_busy_percent) as disk_busy_percent by disk-name

The following source type must be present for the view to populate: ontap:perf

QTree Details

In the QTree Detail View, search by IP address of the host, the volume name, and the QTree name to display the usage details for a specific QTree. As with all Splunk searches, select a time range over which you want to collect the data for that QTree. You can perform a general search using "*" as the value in the fields or you can filter your search to a specific QTree. Note that QTree statistics are available only when the volume containing the qtree is online.

Panel Description
QTree Inventory Detail This table displays the QTree details including the volume to which it belongs, the host on which it resides, and the status of the QTree among other details. The following search powers the panel:

`ontap-index` sourcetype=ontap:qtree source=qtree-list-iter* volume="*groups" id!=0 qtree="*itops" host="<host_name>" | dedup id,qtree,volume,host | table id,qtree,volume,host,status,oplocks,security-style,vserver

The following source type must be present for the view to populate: ontap:qtree

QTree OPS (Operations/Second) This chart displays the number of operations performed by the QTree per second. This includes the number of CIFS and NFS calls received and the number of internal operations. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=QtreePerfHandler host="<host_name>" objname="*groups/*itops" | timechart first(cifs_ops_rate) as cifs_ops_rate first(nfs_ops_rate) as nfs_ops_rate first(internal_ops_rate) as internal_ops_rate by objname

The following source type must be present for the view to populate: ontap:perf

LUN Detail

In the LUN Detail View, search by IP address or the name of the host and the LUN name (the path to the LUN) to display the usage details for a specific LUN. As with all Splunk searches, select a time range over which you want to collect the data for that LUN. You can perform a general search using "*" as the value in the fields, or you can filter your search to a specific LUN on a specific volume.

Note that the value of <IP_address> and <path> specified in each of the searches below are the actual values you provided as search criteria.

Panel Description
LUN Inventory Detail This table displays the serial number that identifies the LUN, the path on the volume to the LUN, the status of the LUN, the amount of space in GB available and the amount of space used. The following search powers the panel:

`ontap-index` sourcetype=ontap:lun ((source=lun-get-iter) OR (source=lun-list-info)) host="<IP_address>" path="<path>" | dedup serial-number,host | rename size-used as used | eval "size_total"=`BytesToGigaBytes(size)` | eval "size_used"=`BytesToGigaBytes(used)` | table serial-number, path, online, size_total, size_used, host, vserver, volume | rename size_total AS "size (GB)" size_used as "size used (GB)"

The following source type must be present for the view to populate: ontap:lun

LUN Latency (ms) This chart displays the average read and write latency in milliseconds for all operations on the LUN. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=LunPerfHandler host="<IP_address>" objname="<path>" | timechart first(avg_latency_average) as avg_latency_average first(avg_read_latency_average) as avg_read_latency_average first(avg_write_latency_average) as avg_write_latency_average by objname

The following source type must be present for the view to populate: ontap:perf

LUN IOPS (Operations/Second) This chart displays the number of read and write operations on the LUN. The following search powers the panel:

`ontap-index` sourcetype=ontap:perf source=LunPerfHandler host="<IP_address>" objname="<path>" | timechart first(total_ops_rate) as total_ops_rate first(read_ops_rate) as read_ops_rate first(write_ops_rate) as write_ops_rate by objname

The following source type must be present for the view to populate: ontap:perf

Last modified on 09 January, 2021
Get started with the Splunk Supporting Add-on for NetApp   Troubleshoot the Splunk Supporting Add-on for NetApp

This documentation applies to the following versions of Splunk® Supporting Add-on for NetApp: 1.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters