Skip to main content

Storage device data

  • Updated

Storage device data is a type of data that comes from the controller components of storage arrays. The controller is in front of the disk or solid state drives and controls connectivity to the backend storage. The controller is a key source of configuration and performance metrics for storage. Sometimes this type of data comes from an operating system that is interfacing with direct attached storage.

Data visibility 

The data of this type is used to understand access patterns to files and directories. These access patterns provide insight into performance of applications that are dependent on the storage. The data also provide insight to capacity usage and availability, meaning how much is stored, how often is it accessed, and how much is left before we can no longer store more data. 

Data application

When your Splunk deployment is ingesting storage device data, you can use the data to achieve objectives related to the following use cases:

High-value fields

This data type has many available fields, but users typically derive the most value out of the fields listed here.

bytes in

Number of bytes written to the storage

bytes out 

Number of bytes read from the storage

cache hit rate

Number of times a read operation finds the data being requested in the cache.

io_ops

Number of read or write operations per second

latency

Average wait time for a write operation to complete 

Note that the names of these fields vary, depending on the data source. The Splunk Common Information Model (CIM) can be added to your deployment to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations. In the Common Information Model, storage device data is typically mapped to the Inventory, Performance, and Authentication models. 

Known data sources and source types

Guidance for onboarding data can be found in the Splunk documentation, Getting Data In. In addition, the following data sources have add-ons and apps available in Splunkbase to optimize data collection and help you with analysis and visualizations. (This is not an exhaustive list at this time)

 

Data Source

Sourcetype

Recommend Add-Ons

Dell EMC 

sourcetype=emc:isilon:rest 

sourcetype=emc:isilon:syslog

Dell EMC Isilon Add-on for Splunk Enterprise

Net App 

sourcetype="ontap:perf"

Splunk Supporting add-on for NetApp

Windows

sourcetype="WinHostMon://Disk"

Splunk Add-on for Windows 

Unix 

sourcetype="sourcetype = iostat"

Splunk Add-on for Unix and Linux 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.