- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Comparison of Field values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a JSON which has something like this "Current Free Space","value":"240 KB", i am parsing out the field name which is "Current Free Space" and has the value 240 and the unit is KB, the possible unit can be B,KB,MB,GB .
I have a REGEX which is rex "\"Current Free Space\",\"value\":\"(?\d*.\d*)\s(?\w*)\"}"
I want to write a query which actually displays the count of devices which have "Current Free Space" less than 10GB.
Currently the fields freeSpaceAmount freeSpaceMeasure are different.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
try this search anywhere:
| makeresults count=1
| eval "Current Free Space" = "100 GB, 10 KB, 1300 B, 14000 MB, 1 TB"
| makemv delim="," "Current Free Space"
| mvexpand "Current Free Space"
| rex field="Current Free Space" "(?<Value>\d+)\s+(?<Unit>\w*)$"
| eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1)
| eval InBytes=Value*factor
| eval in_GB = round(InBytes/1024/1024/1024, 3)
you can set the rules of less than 10 gb or any other rule as you like
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
try this search anywhere:
| makeresults count=1
| eval "Current Free Space" = "100 GB, 10 KB, 1300 B, 14000 MB, 1 TB"
| makemv delim="," "Current Free Space"
| mvexpand "Current Free Space"
| rex field="Current Free Space" "(?<Value>\d+)\s+(?<Unit>\w*)$"
| eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1)
| eval InBytes=Value*factor
| eval in_GB = round(InBytes/1024/1024/1024, 3)
you can set the rules of less than 10 gb or any other rule as you like
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understood everything except true(),1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
from docs:
The following example shows how to use the true() function to provide a default to the case function.
... | eval error=case(status == 200, "OK", status == 404, "Not found", true(), "Other")
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
