topic Re: How to search result in data and put it in a table in Splunk Search

How to search result in data and put it in a table

codedtech — Wed, 28 Aug 2019 23:04:50 GMT

I need to create a table from the results in the query below. where the utilization is greater than or equal to .7.

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated =  round((vmdkallocated/free*100),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|where utilization>=.7|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization

Please feel free to rewrite my code, I know its not efficient or pretty. I'm still learning splunk.

Re: How to search result in data and put it in a table

diogofgm — Wed, 28 Aug 2019 23:10:26 GMT

what's the problem you're trying to have solve? Isn't this working?

Re: How to search result in data and put it in a table

codedtech — Wed, 28 Aug 2019 23:47:20 GMT

I for some reason can't get only the values that are above .7 to display in the table, if I run it like this I get over 1000 results. I'm trying to use this to create an alert that will be distributed via email to the rest of the guys I work with. I need to cut that down to only the results that are greater than or equal to .7

Re: How to search result in data and put it in a table

diogofgm — Thu, 29 Aug 2019 00:04:49 GMT

try removing the |whereand check the final table for the utilisation values. if all seems ok and you're able to find utilization greater than 0.7 (also try using the 0 before the . ) add the |where after the |table . If this still does not work, replace the |where with |search

Re: How to search result in data and put it in a table

codedtech — Wed, 30 Sep 2020 01:57:33 GMT

This worked thank you

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated = round((vmdkallocated/free),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization|where utilization>=0.75|sort -utilization

Re: How to search result in data and put it in a table

diogofgm — Thu, 29 Aug 2019 16:22:11 GMT

If this post solved you problem please mark it as an answer. Thanks