Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Pass dbinspect result to calculate index disk space

shan_santosh
Explorer
‎04-14-2016 05:33 AM

I this search below to calculate compression rate of my index

| dbinspect index=myIndexName
| stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB
| eval rawTotalinMB=(rawTotal / 1024 / 1024) | fields - rawTotal
| eval compression=round(diskTotalinMB / rawTotalinMB * 100, 2)
| table compression

Then I want to further use the compression value in below search in place of constant value .4

index=_internal source=*metrics.log group=per_index_thruput series=myIndexName | eval MB = round
(kb/1024,2) * .4 | reverse | accum MB as totalvalue | timechart last(totalvalue) span=1d

I tried subsearch and join, but no success. Can any one suggest a solution, hint?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-14-2016 03:30 PM

Here's a generic example of how to pass a subsearch result into an eval:

| stats count | eval foo = exact(42 * [stats count as search | eval search = 0.1])

This should be translatable to your case, make sure to use the special field search to avoid quotes being added.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-14-2016 03:30 PM

Here's a generic example of how to pass a subsearch result into an eval:

| stats count | eval foo = exact(42 * [stats count as search | eval search = 0.1])

This should be translatable to your case, make sure to use the special field search to avoid quotes being added.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-15-2016 06:12 AM

Works the same way, it's the first command of the subsearch:

| stats count | eval foo = exact(42 * [dbinspect index=main
  | stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB
  | eval search=diskTotalinMB / rawTotal * 1024 * 1024 | fields search])
Reply
Solved! Jump to solution

shan_santosh
Explorer
‎04-17-2016 11:18 PM

This worked for me. Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

shan_santosh
Explorer
‎04-14-2016 10:18 PM

Thanks for your reply. however in my case I want to use dbinspect and use its output for sub search. dbinspect has to be a first statement in the search which I can not use as a subsearch. Some sample wrt my scenario will be of great help.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...