- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help on an issue with OR condition
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
when i execute the search below I have no results
index="tutu" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space" OR index="titi" sourcetype=WinHostMon Type=disk Name="C:" TotalSpaceKB
| eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval Value = round(Value, 1). " %"
| eval TotalSpace = TotalSpaceKB/1024
| eval TotalSpace = round(TotalSpace/1024,1). " GB"
| stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host
But no matter index I delete I have results
example :
index="tutu" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space"
| eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval Value = round(Value, 1). " %"
| eval TotalSpace = TotalSpaceKB/1024
| eval TotalSpace = round(TotalSpace/1024,1). " GB"
| stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host
index="titi" sourcetype=WinHostMon Type=disk Name="C:" TotalSpaceKB
| eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval Value = round(Value, 1). " %"
| eval TotalSpace = TotalSpaceKB/1024
| eval TotalSpace = round(TotalSpace/1024,1). " GB"
| stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host
what is the issue please??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
Please use the following syntax for the first part of your query and make sure you have results :
(index="tutu" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space" ) OR (index="titi" sourcetype=WinHostMon Type=disk Name="C:" TotalSpaceKB)
Once this is working add the rest :
... | eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval Value = round(Value, 1). " %"
| eval TotalSpace = TotalSpaceKB/1024
| eval TotalSpace = round(TotalSpace/1024,1). " GB"
| stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host
Let me know if it helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
Please use the following syntax for the first part of your query and make sure you have results :
(index="tutu" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space" ) OR (index="titi" sourcetype=WinHostMon Type=disk Name="C:" TotalSpaceKB)
Once this is working add the rest :
... | eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval Value = round(Value, 1). " %"
| eval TotalSpace = TotalSpaceKB/1024
| eval TotalSpace = round(TotalSpace/1024,1). " GB"
| stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host
Let me know if it helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31
Have you tried this?
(index="tutu" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space") OR (index="titi" sourcetype=WinHostMon Type=disk Name="C:" TotalSpaceKB)
| eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval Value = round(Value, 1). " %"
| eval TotalSpace = TotalSpaceKB/1024
| eval TotalSpace = round(TotalSpace/1024,1). " GB"
| stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
