Reporting

Timechart: split inputs over multiple lines

bwouters
Path Finder

I want to display a line that represents the disk usage.
There are 3 disks to monitor and they all have their own usage parameters.

I use the following search:
| pivot FreeDisk_George2 RootObject max(Value) AS "% Free Space" SPLITROW instance as Drive SPLITROW _time AS _time PERIOD auto FILTER instance in ("F:","C:","E:") SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER 1

It gives me 3 lines but it is not representing the disk usage, because I'm not mentioning it somewhere.. Regretfully I don't know exactly what to change. What am I missing here?

0 Karma
1 Solution

bwouters
Path Finder

I found a solution:

| pivot FreeDiskSpace_AllDrivesG2 RootObject max(Value) AS "Max of Value" SPLITROW _time AS _time PERIOD auto SPLITCOL instance SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 | foreach * [eval <<FIELD>>=round('<<FIELD>>',2)]

This eventually gave me 3 separate lines which indicates the free space on each disk

View solution in original post

0 Karma

bwouters
Path Finder

I found a solution:

| pivot FreeDiskSpace_AllDrivesG2 RootObject max(Value) AS "Max of Value" SPLITROW _time AS _time PERIOD auto SPLITCOL instance SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 | foreach * [eval <<FIELD>>=round('<<FIELD>>',2)]

This eventually gave me 3 separate lines which indicates the free space on each disk

0 Karma

somesoni2
Revered Legend

I believe it's showing "% Free space" and not usage. May be subtract it's value from 100 will give "% Disk Used", like this

| pivot FreeDisk_George2 RootObject max(Value) AS "% Free Space" SPLITROW instance as Drive SPLITROW _time AS _time PERIOD auto FILTER instance in ("F:","C:","E:") SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER 1 | foreach * [eval "<<FIELD>>"=100-'<<FIELD>>']
0 Karma

bwouters
Path Finder

Thank you for the suggestion.
The main goal I try to achieve here is to have three separate lines in one line chart where each line represents the free space left on that drive.

I don't really grasp the concept yet of how to separate these lines with Splunk. Any ideas on how to do that?

0 Karma

bwouters
Path Finder

Short update:

I'm now looking to make it work with 'chart'
Using the following query:
source="perfmon:disk2" counter="% Free Space" (instance!="_Total") (instance!="HarddiskVolume1") | chart first(Value) by _time

It gives me a nice line in the chart of only one disk, while I have three. How can I separate them?
I would expect something like:
source="perfmon:disk2" counter="% Free Space" (instance!="_Total") (instance!="HarddiskVolume1") | chart first(eval(instance="C:")Value) by _time

Basically saying, I want to have the Values of instance C: (C-drive) but obviously this isn't working but I can't get the syntax straight

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...