Splunk Search

Eval statement based of 1 field using If

codedtech
Path Finder

I have a bunch of storage clusters that we monitor,  60% of the envrioment uses normal GB, the other 40% uses GiB.  I need to show all of the storage arrays in 1 report and normalize the storage to GB, and the only field that is different between the storage besides the array name is "storage vendor" .  I need to create an If statement if vendor is like "X"  run these evals 
|eval _GB_TiB = (((Capacity_GB)*1.1)/1024)*0.909495
| eval "Prov(TiB)" = (((prov_GB)*1.1)/1024)*0.909495
| eval "Written(TiB)" = ((((writtedGB)*1.1)/1024)*0.909495)/2

 

 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
How should Splunk distinguish those that use GB from those that use GiB?
---
If this reply helps you, Karma would be appreciated.
0 Karma

codedtech
Path Finder

I like to use an If or case statement ideally based of the vendor or storage array name.  

 

something along the lines like this

query|eval if(vendor="vendor 1(then  eval Capacity(TiB) = (((Capacity_GB)*1.1)/1024)*0.909495
| eval "provisioned (TiB)" = (((provisionedGB)*1.1)/1024)*0.909495
| eval "Written(TiB)" = ((((usedGB)*1.1)/1024)*0.909495)/2

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will help

... | eval Capacity = if(vendor="foo" OR vendor="bar", exact((GB*1.1)/1024)*0.909495), GB)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...