Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Pass dbinspect result to calculate index disk space

shan_santosh
Explorer
‎04-14-2016 05:33 AM

I this search below to calculate compression rate of my index

| dbinspect index=myIndexName
| stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB
| eval rawTotalinMB=(rawTotal / 1024 / 1024) | fields - rawTotal
| eval compression=round(diskTotalinMB / rawTotalinMB * 100, 2)
| table compression

Then I want to further use the compression value in below search in place of constant value .4

index=_internal source=*metrics.log group=per_index_thruput series=myIndexName | eval MB = round
(kb/1024,2) * .4 | reverse | accum MB as totalvalue | timechart last(totalvalue) span=1d

I tried subsearch and join, but no success. Can any one suggest a solution, hint?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-14-2016 03:30 PM

Here's a generic example of how to pass a subsearch result into an eval:

| stats count | eval foo = exact(42 * [stats count as search | eval search = 0.1])

This should be translatable to your case, make sure to use the special field search to avoid quotes being added.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-14-2016 03:30 PM

Here's a generic example of how to pass a subsearch result into an eval:

| stats count | eval foo = exact(42 * [stats count as search | eval search = 0.1])

This should be translatable to your case, make sure to use the special field search to avoid quotes being added.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-15-2016 06:12 AM

Works the same way, it's the first command of the subsearch:

| stats count | eval foo = exact(42 * [dbinspect index=main
  | stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB
  | eval search=diskTotalinMB / rawTotal * 1024 * 1024 | fields search])
Reply
Solved! Jump to solution

shan_santosh
Explorer
‎04-17-2016 11:18 PM

This worked for me. Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

shan_santosh
Explorer
‎04-14-2016 10:18 PM

Thanks for your reply. however in my case I want to use dbinspect and use its output for sub search. dbinspect has to be a first statement in the search which I can not use as a subsearch. Some sample wrt my scenario will be of great help.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...