Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me work out a query involving distrib...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
luckyman80
Path Finder
11-07-2018
08:26 AM
Hi Splunk Community,
I have a simple query which pulls request counts in per node.
sourcetype=test-log New Line
| rex "\'instance1_n_Node1\': (?.*?),"
| rex "\'instance2_n_Node2\': (?.*?),"
| rex "\'instance2_n_Node2\': (?.*?),"
| timechart max(Node1), max(Node2), max(Node3)
This brings me back the values of
Node1 - 100
Node2 - 200
Node3 - 300
My Nodes have a capacity of 320 only. I am trying to show the % left on the available instances so i can see where my space is. What's the best way to do this ?
Thanks in advance !
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
11-08-2018
11:35 AM
if instead of the timechart you use a stats you can then use those values to calculate your percent available and then you can timechart those.
| stats max(Node1) as Node1 max(Node2) as Node2 max(Node3) as Node3 by _time
| eval percent_avail1 = (320-Node1)/320*100
| eval percent_avail2 = (320-Node2)/320*100
| eval percent_avail3 = (320-Node3)/320*100
| timechart max(percent_avail1) max(percent_avail2) max(percent_avail3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
11-08-2018
11:35 AM
if instead of the timechart you use a stats you can then use those values to calculate your percent available and then you can timechart those.
| stats max(Node1) as Node1 max(Node2) as Node2 max(Node3) as Node3 by _time
| eval percent_avail1 = (320-Node1)/320*100
| eval percent_avail2 = (320-Node2)/320*100
| eval percent_avail3 = (320-Node3)/320*100
| timechart max(percent_avail1) max(percent_avail2) max(percent_avail3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
luckyman80
Path Finder
11-09-2018
07:13 AM
kMaron, Thanks for your prompt response.. Worked a treat
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
