https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62553#M12506 <P>Thank you for the quick response! Appreciate it very much..</P> Fri, 15 Mar 2013 13:44:26 GMT chamil3001 2013-03-15T13:44:26Z https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62550#M12503 <P>Heres what i want to do.</P> <P>Scenario,<BR /> Monitor threshold breaches of CPU,HDD and memory etc</P> <P>1) I have multiple searches written for each of the above and they work ok.</P> <P>Eg1: <STRONG>host="MYHOST1" sourcetype="Perfmon:LogicalDisk_FreeSpace" NOT instance=_Total | eval Value=round(100-Value,2) | sort -_time -Value | head 1 | table Value |sort limit=1 Value| rangemap field="Value" low=0-30 elevated=31-60 default=severe</STRONG></P> <P>Eg2: <STRONG>host="MYHOST1" source="Perfmon:Total_Processor_Time" counter="% Processor Time" |eval myvalues = round(Value, 2) | table myvalues |rename myvalues as "CPU Utilzation" |sort limit=1 myvalues |rangemap field="CPU Utilzation" low=0-30 elevated=31-60 default=severe</STRONG></P> <P>2) Now I want to check both(or multiple) of the above searches at the same time and return a value.</P> <P>Eg: <STRONG>"Threasholds Breached!"</STRONG></P> <P>Thanks in Advance!<BR /> Chamil</P> Mon, 28 Sep 2020 13:31:24 GMT https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62550#M12503 chamil3001 2020-09-28T13:31:24Z https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62551#M12504 <P>You could append them all into one big search, and alert if at least one is breached.</P> Fri, 15 Mar 2013 09:38:59 GMT https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62551#M12504 martin_mueller 2013-03-15T09:38:59Z https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62552#M12505 <P>martin_mueller's idea exemplified;</P> <P>For reasons of simplicity, this search looks at <CODE>host</CODE> fields, and gives you a single value if either part of the search (values h1 or h2) returns the "myhost". </P> <PRE><CODE>index=blah | head 1 | stats first(host) as h1 |appendcols [search index=meh | head 1 |stats first(host) as h2 ] | eval host_value = if((h1=="myhost") OR (h2=="myhost"), "myhost", "not_myhost") </CODE></PRE> <P>/k</P> Fri, 15 Mar 2013 09:57:40 GMT https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62552#M12505 kristian_kolb 2013-03-15T09:57:40Z https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62553#M12506 <P>Thank you for the quick response! Appreciate it very much..</P> Fri, 15 Mar 2013 13:44:26 GMT https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62553#M12506 chamil3001 2013-03-15T13:44:26Z https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62554#M12507 <P>Thank you for the quick response! Appreciate it very much.. </P> <P>I will check it out<BR /> Just came home from office after trying to solve this all day <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 15 Mar 2013 13:45:05 GMT https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62554#M12507 chamil3001 2013-03-15T13:45:05Z https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62555#M12508 <P>managed to get it to work using multiple Eval commands and nested "if" functions.. thanks</P> Tue, 26 Mar 2013 03:10:24 GMT https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62555#M12508 chamil3001 2013-03-26T03:10:24Z https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62556#M12509 <P>yeah.. got it to work, but still need to do some tuning..</P> Tue, 26 Mar 2013 03:11:16 GMT https://community.splunk.com/t5/Getting-Data-In/Check-Multiple-Pre-defined-Searches-and-Return-one-value/m-p/62556#M12509 chamil3001 2013-03-26T03:11:16Z