topic Re: Getting _time into a |rest search in Splunk Search

Getting _time into a |rest search

TheJagoff — Tue, 29 Sep 2020 13:55:49 GMT

Hello,

I have a client that does not have the App for Unix/Nix and does not want to install it.
Problem: I need to get the _time into this somehow so it can be used as Metrics in a Base Search for ITSI and the search below isn't recognizing it
I need to track Indexer Disk Usage and took this from another app to attempt to get it adding |eval _time=now()

| rest splunk_server="Indexer01" /services/server/status/partitions-space |eval _time=now()
| eval free = if(isnotnull(available), available, free)
| eval usage = round((capacity - free) / 1024, 2)
| eval capacity = round(capacity / 1024, 2)
| eval compare_usage = usage." / ".capacity
| eval pct_usage = round(usage / capacity * 100, 2)
| stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by mount_point
| eval OptMountUsage=(if(mount_point=="/opt/mount",pct_usage,NULL)), OptMountSplunkdata2Usage=(if(mount_point=="/opt/mount/splunkdata",pct_usage,NULL))

Is there any way of doing this and if so, what would the resulting search look like for the Base Search?

Many thanks as always

Re: Getting _time into a |rest search

dineshraj9 — Thu, 04 May 2017 09:32:39 GMT

You are adding |eval _time=now() at the top and then performing a | stats function which is not having the _time field.
Try adding |eval _time=now() at the end.

Re: Getting _time into a |rest search

adonio — Thu, 04 May 2017 12:54:07 GMT

hello TheJagoff,
@dineshraj9 comment is great, here is how i slightly modified the search to give you the time field:

| rest splunk_server="*" /services/server/status/partitions-space 
| eval _time=now()
| eval free = if(isnotnull(available), available, free) 
| eval usage = round((capacity - free) / 1024, 2) 
| eval capacity = round(capacity / 1024, 2) 
| eval compare_usage = usage." / ".capacity 
| eval pct_usage = round(usage / capacity * 100, 2)
| stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by mount_point _time
| eval OptMountUsage=(if(mount_point=="/opt/mount",pct_usage,NULL)), OptMountSplunkdata2Usage=(if(mount_point=="/opt/mount/splunkdata",pct_usage,NULL))

Added _time after the by clause in line 8
you can outputlookup or collect to summary and then run your base search against it.
however, this is a multi step process while the OS module for ITSI has this all pre-built in a much more efficient and clean way.
any reason not installing the TA for nix?

hope it helps

Re: Getting _time into a |rest search

TheJagoff — Thu, 04 May 2017 13:41:43 GMT

After discussing this morning, they installed the App and Add-on for Unix/Nix this morning so it's all good either way.

Your modifications to the |rest statement works perfectly. Many thanks!