Splunk Dev

Perfmon:Free Disk Space instance=C: chart

karakutu
Path Finder

i can create chart for volume status of C: logicalpartition
how can i bring in the some chart also the status of D partition.

so that mean i should related to any host C and D partition. how can i do it.

index=main sourcetype="Perfmon:Free Disk Space"  instance="C:"   | chart latest(Value) as Valuex by host |eval PercentFree = 100 - Valuex
    | eval redCritical   = if(PercentFree  >= 86,PercentFree  ,0) 
    | eval yellowWarning = if(PercentFree  > 76 AND PercentFree <=85,PercentFree  ,0) 
    | eval  greenOK= if(PercentFree  < 75,PercentFree  ,0) 
    | table host,redCritical,yellowWarning,greenOK
Tags (1)
0 Karma
1 Solution

niketn
Legend

@karakutu, Hopefully you are looking for the following (please try out and confirm):

 index=main sourcetype="Perfmon:Free Disk Space" ( instance="C:"  OR  instance="D:") 
 | stats latest(Value) as Valuex by host, instance 
 | eval PercentUsed = 100 - Valuex
 | eval range=case(PercentUsed>=86,"critical",PercentUsed>=76 AND PercentUsed<86, "severe", PercentUsed<75,"low",true(),"critical") 
 | table host,instance,PercentUsed,range

Some changes to your query:
1) PercentFree field should actually be name PercentUsed to avoid confusion.
2) Changed from chart to stats command to allow multiple split. You can do something similar with chart but you would need to create a new field using eval (for example | eval key= host."-".instance | chart last(Value) as Valuex by Key)
3) Created single case statement to create range based on value. (optional, you can retain your existing if() based evals in case that is your use case).


[Updated Answer] Added details as per further questions/clarifications

2) Your query with chart

  index=main sourcetype="Perfmon:Free Disk Space" ( instance="C:"  OR  instance="D:")
 | eval key= host."-".instance
 | chart latest(Value) as Valuex by key
 | eval PercentUsed = 100 - Valuex
 | eval redCritical   = if(PercentUsed >= 86,PercentUsed ,0) 
 | eval yellowWarning = if(PercentUsed > 76 AND PercentUsed <=85,PercentUsed ,0) 
 | eval  greenOK= if(PercentUsed < 75,PercentUsed ,0) 
 | table host,redCritical,yellowWarning,greenOK

3) You need to use charting.fieldColors since you know the field names

<option name="charting.fieldColors">{"redCritical": 0xFF0000, "yellowWarning": 0xFFFF00, "greenOK": 0x00FF00}
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

karakutu
Path Finder

i try also with table key but everytime i get the value of redCritical yellowWarning greenOKas 0

index=main sourcetype="Perfmon:Free Disk Space" ( instance="C:"  OR  instance="D:")
  | eval key= host."-".instance
  | chart latest(Value) as Valuex by key
  | eval PercentUsed = 100 - Valuex
  | eval redCritical   = if(PercentFree  >= 86,PercentFree  ,0) 
  | eval yellowWarning = if(PercentFree  > 76 AND PercentFree <=85,PercentFree  ,0) 
  | eval  greenOK= if(PercentFree  < 75,PercentFree  ,0) 
  | table key,redCritical,yellowWarning,greenOK



key redCritical yellowWarning   greenOK
PostNL-WTS-C:   0   0   0
PostNL-WTS-D:   0   0   0
WIN-G1OI73OMETI-C:  0   0   0
0 Karma

niketn
Legend

Sorry I had missed correction from PercentFree to PercentUsed. I have updated my answer again. Please test and accept if it solves the need.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

karakutu
Path Finder

its work thanks. Tesekkürler 🙂

0 Karma

niketn
Legend

@karakutu, Kindly accept my answer for the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

karakutu
Path Finder

1) good idea

2) do you have any idea how can i bring this host."-".instance information as a label on chart? i try to represent it with bar grafik.

3) i try to colorise chart bars.its look like so. if you set the information in a variable named range.
how can i use it for colouration

   <option name="charting.legend.masterLegend"></option>
        <option name="charting.axisTitleY.text">Usage by Percent</option>
        <option name="charting.chart">column</option>
        <option name="charting.legend.labels">[redCritical,yellowWarning,greenOK]</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="charting.seriesColors">[0xFF0000,0xFFFF00,0x00FF00]</option>
      </chart>
0 Karma

niketn
Legend

@karakutu, Hopefully you are looking for the following (please try out and confirm):

 index=main sourcetype="Perfmon:Free Disk Space" ( instance="C:"  OR  instance="D:") 
 | stats latest(Value) as Valuex by host, instance 
 | eval PercentUsed = 100 - Valuex
 | eval range=case(PercentUsed>=86,"critical",PercentUsed>=76 AND PercentUsed<86, "severe", PercentUsed<75,"low",true(),"critical") 
 | table host,instance,PercentUsed,range

Some changes to your query:
1) PercentFree field should actually be name PercentUsed to avoid confusion.
2) Changed from chart to stats command to allow multiple split. You can do something similar with chart but you would need to create a new field using eval (for example | eval key= host."-".instance | chart last(Value) as Valuex by Key)
3) Created single case statement to create range based on value. (optional, you can retain your existing if() based evals in case that is your use case).


[Updated Answer] Added details as per further questions/clarifications

2) Your query with chart

  index=main sourcetype="Perfmon:Free Disk Space" ( instance="C:"  OR  instance="D:")
 | eval key= host."-".instance
 | chart latest(Value) as Valuex by key
 | eval PercentUsed = 100 - Valuex
 | eval redCritical   = if(PercentUsed >= 86,PercentUsed ,0) 
 | eval yellowWarning = if(PercentUsed > 76 AND PercentUsed <=85,PercentUsed ,0) 
 | eval  greenOK= if(PercentUsed < 75,PercentUsed ,0) 
 | table host,redCritical,yellowWarning,greenOK

3) You need to use charting.fieldColors since you know the field names

<option name="charting.fieldColors">{"redCritical": 0xFF0000, "yellowWarning": 0xFFFF00, "greenOK": 0x00FF00}
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...