topic Re: search string in Splunk Search

search string

Splunk_U — Fri, 11 Jan 2013 18:17:55 GMT

Is there any thing wrong with the below search string?????

index=os source=df |multikv fields Filesystem Avail UsePct | search Filesystem=/dev/mapper/system-root | eval availPct=(100-UsePct) | stats avg(Avail) as availDisk avg(availPct) as UsePct by host

Re: search string

Ayn — Fri, 11 Jan 2013 18:51:32 GMT

I assume there's a reason for asking? What results are you currently getting?

Re: search string

Splunk_U — Fri, 11 Jan 2013 18:53:24 GMT

I am getting no result...but it should provide me the avg available disk info and and avg available percentage..Am I missing something in syntax???

Re: search string

sdaniels — Fri, 11 Jan 2013 20:04:50 GMT

It usually makes sense to break down your search and track when you are getting data and then where you aren't getting what you expect. Start with the beginning and then add additional commands one by one to see where the search is breaking down.

Re: search string

Splunk_U — Fri, 11 Jan 2013 20:08:41 GMT

Till the below portion it is working fine..

index=os source=df |multikv fields Filesystem Avail UsePct | search Filesystem=/dev/mapper/system-root

then when I am adding "stats avg(Avail) as availDisk by host" it is not fetching any data...where as if I add "stats values(Avail) as availDisk by host" then the data is coming...

Any thought!!!

Re: search string

Ayn — Fri, 11 Jan 2013 20:22:37 GMT

What format are the values for Avail in? If avg() doesn't return anything even though Avail has values, it indicates that the Avail values aren't something that avg() can treat as numbers.

Re: search string

yannK — Sat, 12 Jan 2013 02:39:18 GMT

Verify is UsePct is a string or a number.
use | convert num(UsePct) if needed