Data center storage is provisioned in two general ways: built into servers and shared using various network storage protocols, or via a dedicated storage array that consolidates capacity for use by multiple applications that access it using either a dedicated storage area network (SAN) or ethernet LAN file-sharing protocol. The activity of internal, server-based storage is typically recorded in system logs, however storage arrays have internal controllers/storage processors that run a storage-optimized OS and log a plethora of operating, error and usage data. Since many organizations have several such arrays, the logs often are consolidated by a storage management system that can report on the aggregate activity and capacity.
Shared storage logs record overall system health, error conditions, and usage. Collectively, the information can alert operations teams to problems, the need for more capacity and performance bottlenecks. The data of this type is also used to understand access patterns to files and directories. These access patterns provide insight into performance of applications that are dependent on the storage. In the Common Information Model, storage data is typically mapped to the Inventory data model and the Performance data model.
Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: