Monitoring Splunk

Pass dbinspect result to calculate index disk space

shan_santosh
Explorer

I this search below to calculate compression rate of my index

| dbinspect index=myIndexName
| stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB
| eval rawTotalinMB=(rawTotal / 1024 / 1024) | fields - rawTotal
| eval compression=round(diskTotalinMB / rawTotalinMB * 100, 2)
| table compression

Then I want to further use the compression value in below search in place of constant value .4

index=_internal source=*metrics.log group=per_index_thruput series=myIndexName | eval MB = round
(kb/1024,2) * .4 | reverse | accum MB as totalvalue | timechart last(totalvalue) span=1d

I tried subsearch and join, but no success. Can any one suggest a solution, hint?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Here's a generic example of how to pass a subsearch result into an eval:

| stats count | eval foo = exact(42 * [stats count as search | eval search = 0.1])

This should be translatable to your case, make sure to use the special field search to avoid quotes being added.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Here's a generic example of how to pass a subsearch result into an eval:

| stats count | eval foo = exact(42 * [stats count as search | eval search = 0.1])

This should be translatable to your case, make sure to use the special field search to avoid quotes being added.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Works the same way, it's the first command of the subsearch:

| stats count | eval foo = exact(42 * [dbinspect index=main
  | stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB
  | eval search=diskTotalinMB / rawTotal * 1024 * 1024 | fields search])

shan_santosh
Explorer

This worked for me. Thanks for your help.

0 Karma

shan_santosh
Explorer

Thanks for your reply. however in my case I want to use dbinspect and use its output for sub search. dbinspect has to be a first statement in the search which I can not use as a subsearch. Some sample wrt my scenario will be of great help.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...