topic Re: Help with temp tables / variables in Splunk Search

Help with temp tables and variables

AK89 — Thu, 03 Mar 2022 17:25:41 GMT

New to splunk and been struggling manipulating search results into a final result that I am looking for. In powershell where I'm familiar, I would just use a series of variables and return a final result set. I am trying to accomplish the below.

(each target_name has multiple disk_group)

1) i need to find the latest Usable_Free_GB for each disk_group in each target_name and sum them

2) i need to find the latest Usable_Total_GB for each disk_group in each target_name and sum them

I can get #1 and #2 in different searches, but am struggling to get them together to return a result set like this:

Target_Name	UsableSpaceFree	TotalUsableSpace
Target_Name1	123	456
Target_Name2	234	567

This is the closest I can get. But I need to only have 2 rows returned with all three fields populated

Once I can get the result set grouped by Target_Name, I then need to use eval to create a new field like the below using the values from #1 and #2

eval percent_free=round((UsableSpaceFree/TotalUsableSpace)*100,2)

Target_Name	UsableSpaceFree	TotalUsableSpace	percent_free
Target_Name1	123	456	?
Target_Name2	234	567	?

Re: Help with temp tables / variables

SanjayReddy — Thu, 03 Mar 2022 05:59:38 GMT

Hi @AK89

you can use multiple funcation in same stats command

sourcetype=xyz Disk_Group="*Data*"
| stats latest(Usable_Free_GB) as LatestUsable latest(Usable_Total_GB) as LastestTotal by Target_Name Disk_Group

| stats sum(LatestUsable) as UsableSpaceFree sum(LastestTotal) as TotalUsableSpace count(eval(round((UsableSpaceFree/TotalUsableSpace)*100,2))) as percent_free by Target_Name

Re: Help with temp tables / variables

tshah-splunk — Thu, 03 Mar 2022 05:55:20 GMT

Hey @AK89,

Can you try running the below query? I believe it should help you achieve your use case. You can use multiple latest functions and group by the target.

sourcetype=xyz (Disk_Group = "Data*") | stats latest(Usable_Free_GB) as latestusable latest(Usable_Total_GB) as latesttotal by Target_Name Disk_Group | stats sum(latestusable) as UsableFree sum(latesttotal) as UsableTotal by Target_Name | eval percent_free = round(((UsableFree/UsableTotal)*100),2) | table Target_Name UsableFree UsableTotal precent_free

Re: Help with temp tables / variables

AK89 — Thu, 03 Mar 2022 13:10:57 GMT

Thanks. I tried using multiple functions on same command but i must have been messing something up. Thanks for helping me with such a simple question!