Hello
I wanted to request some assistance with the topic of combining different searches from the same index and same sourcetype but different sources into a table or report even.
I struggle with the concept of combining them.
I have researched joins, stats, charts etc. but I am trying to implement them and am getting errors for which I am missing a point making me unsure of how to combine effectively to get the results I need.
So any guidance or information that may assist me to learn properly would be very helpful.
I have the following separate searches that give me the results I need:
====================================
Storage
index="SRV" sourcetype=WinHostMon source=disk DriveType=fixed TotalSpaceKB="*"
| eval TotalSpaceKB = round (TotalSpaceKB/100000000)
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" by host
OS
index="SRV" sourcetype=WinHostMon source=operatingsystem os="*"
| dedup host
| table host os
CPU
index="SRV" sourcetype=WinHostMon source=processor NumberOfProcessors="*"
| dedup host
| table host NumberOfProcessors
Memory
index="SRV" sourcetype=WinHostMon source=operatingsystem TotalPhysicalMemoryKB="*"
| dedup host
| eval "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)
| table host "TotalPhysicalMemory (GB)"
=============================
My end goal is to provide a single table or report with the following columns
Host, OS, Number of Processors, total physical memory, total storage
Thank you
Dan
Hi @Hudond,
You don't need to run different searches because you can take data in one search something like this:
index="SRV" sourcetype=WinHostMon
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" values(os) AS os values(NumberOfProcessors) AS NumberOfProcessors values("TotalPhysicalMemory (GB)") AS "TotalPhysicalMemory (GB)" by host
| eval TotalSpaceKB = round (TotalSpaceKB/100000000), "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)
Storage CPU, memory and OS are static data , so I hint to schedule this search and put results in a lookup, in this way you'll have all the data quickly usable without rerun the search.
In addition: Splunk isn't a DB where data are separated, using Splunk you have to think in a different way!
Ciao.
Giuseppe
Hi @Hudond,
You don't need to run different searches because you can take data in one search something like this:
index="SRV" sourcetype=WinHostMon
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" values(os) AS os values(NumberOfProcessors) AS NumberOfProcessors values("TotalPhysicalMemory (GB)") AS "TotalPhysicalMemory (GB)" by host
| eval TotalSpaceKB = round (TotalSpaceKB/100000000), "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)
Storage CPU, memory and OS are static data , so I hint to schedule this search and put results in a lookup, in this way you'll have all the data quickly usable without rerun the search.
In addition: Splunk isn't a DB where data are separated, using Splunk you have to think in a different way!
Ciao.
Giuseppe
Thank you Giuseppe, that helped lead me in the right direction.