topic Re: help on where condition in Splunk Search

help on where condition

jip31 — Thu, 09 May 2019 13:16:37 GMT

hello

I use the where condition below
I would like to display the events where Free_Space <= "20" AND TotalSpace >= "164"
But I dont understand why even if the free space is < to 20 I have TotalSpace events < to 164?
You can see an example in the screenshot
thanks for your help

(index="toto" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space") OR (index="titi" sourcetype=WinHostMon Type=disk Name="C:" TotalSpaceKB)
| eval time = strftime(_time, "%m/%d/%Y %H:%M") 
| eval Value = round(Value, 1). " %" 
| eval TotalSpace = TotalSpaceKB/1024 
| eval TotalSpace = round(TotalSpace/1024,1). " GB" 
| stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host
**| where Free_Space <= "20" AND TotalSpace >= "164"**
| sort +Free_Space limit=10

Re: help on where condition

knielsen — Thu, 09 May 2019 13:22:33 GMT

Without trying it jumps at me that you do your comparison on strings, not numbers.

You should add " %" and " GB" after you filter with your where clause, not before.

Hth,
Kai,

Re: help on where condition

jip31 — Thu, 09 May 2019 13:34:20 GMT

I m doing this but it doesnt works

| where Free_Space <= "20 %" AND TotalSpace >= "164 GB"

Re: help on where condition

knielsen — Thu, 09 May 2019 13:37:32 GMT

No, I meant:

 (index="toto" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space") OR (index="titi" sourcetype=WinHostMon Type=disk Name="C:" TotalSpaceKB)
 | eval time = strftime(_time, "%m/%d/%Y %H:%M")
 | eval Value = round(Value, 1)
 | eval TotalSpace = TotalSpaceKB/1024
 | eval TotalSpace = round(TotalSpace/1024,1)
 | stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host
 | where Free_Space <= 20 AND TotalSpace >= 164
 | eval Free_Space=FreeSpace." %", TotalSpace=TotalSpace." GB"
 | sort +Free_Space limit=10

Re: help on where condition

jip31 — Thu, 09 May 2019 14:37:50 GMT

perfect thanks