Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: Timechart: split inputs over multiple lines
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to display a line that represents the disk usage.
There are 3 disks to monitor and they all have their own usage parameters.
I use the following search:
| pivot FreeDisk_George2 RootObject max(Value) AS "% Free Space" SPLITROW instance as Drive SPLITROW _time AS _time PERIOD auto FILTER instance in ("F:","C:","E:") SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER 1
It gives me 3 lines but it is not representing the disk usage, because I'm not mentioning it somewhere.. Regretfully I don't know exactly what to change. What am I missing here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found a solution:
| pivot FreeDiskSpace_AllDrivesG2 RootObject max(Value) AS "Max of Value" SPLITROW _time AS _time PERIOD auto SPLITCOL instance SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 | foreach * [eval <<FIELD>>=round('<<FIELD>>',2)]
This eventually gave me 3 separate lines which indicates the free space on each disk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found a solution:
| pivot FreeDiskSpace_AllDrivesG2 RootObject max(Value) AS "Max of Value" SPLITROW _time AS _time PERIOD auto SPLITCOL instance SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1 | foreach * [eval <<FIELD>>=round('<<FIELD>>',2)]
This eventually gave me 3 separate lines which indicates the free space on each disk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe it's showing "% Free space" and not usage. May be subtract it's value from 100 will give "% Disk Used", like this
| pivot FreeDisk_George2 RootObject max(Value) AS "% Free Space" SPLITROW instance as Drive SPLITROW _time AS _time PERIOD auto FILTER instance in ("F:","C:","E:") SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER 1 | foreach * [eval "<<FIELD>>"=100-'<<FIELD>>']
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the suggestion.
The main goal I try to achieve here is to have three separate lines in one line chart where each line represents the free space left on that drive.
I don't really grasp the concept yet of how to separate these lines with Splunk. Any ideas on how to do that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Short update:
I'm now looking to make it work with 'chart'
Using the following query:
source="perfmon:disk2" counter="% Free Space" (instance!="_Total") (instance!="HarddiskVolume1") | chart first(Value) by _time
It gives me a nice line in the chart of only one disk, while I have three. How can I separate them?
I would expect something like:
source="perfmon:disk2" counter="% Free Space" (instance!="_Total") (instance!="HarddiskVolume1") | chart first(eval(instance="C:")Value) by _time
Basically saying, I want to have the Values of instance C: (C-drive) but obviously this isn't working but I can't get the syntax straight
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
