topic How to use results from one search to create a timechart? in Splunk Search

How to use results from one search to create a timechart?

Stefanie — Thu, 24 Feb 2022 19:54:25 GMT

I am in the process of creating a search to detect significant hard drive decreases.

Using the results from my search, I would like to then create a timechart to show how the usage has changed over time.

This is my search:

index=perfmon collection=LogicalDisk sourcetype="Perfmon:LogicalDisk" counter="% Free Space" (instance!="HarddiskVolume*") (instance!=_Total) | eval usedSpace=round(100-Value,0) |stats min(usedSpace) as min, avg(usedSpace) as avg by host, instance |eval delta = avg - min |where delta>10 |rename instance as drive

My results return the hostname, the drive letter, the minimum, the average, and the delta for the disk space usage in a tabular format.

Let's say it returns one host, I would then like to use that same host to return a timechart for the host and drive.

Is this possible?

Re: How to use results from one search to create a timechart?

gcusello — Fri, 25 Feb 2022 07:12:11 GMT

Hi @Stefanie,

after a stats command you have only the fields in the stats, in your case min, avg, host and instance, you don't have more _time

So you have to put also -time in you stats, but before of this you have to group _time using the bin command.

So you could try something like this:

index=perfmon collection=LogicalDisk sourcetype="Perfmon:LogicalDisk" counter="% Free Space" (instance!="HarddiskVolume*") (instance!=_Total) | eval usedSpace=round(100-Value,0) | rename instance as drive | bin span=1d _time | stats min(usedSpace) AS min avg(usedSpace) AS avg BY host drive _time | eval delta = avg - min | where delta>10 | eval column=host." ".drive | timechart max(delta) AS max_delta BY column

Ciao.

Giuseppe

Re: How to use results from one search to create a timechart?

Stefanie — Fri, 25 Feb 2022 13:24:55 GMT

@gcusello You are a wizard! Thank you so much!!