Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Getting _time into a |rest search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a client that does not have the App for Unix/Nix and does not want to install it.
Problem: I need to get the _time into this somehow so it can be used as Metrics in a Base Search for ITSI and the search below isn't recognizing it
I need to track Indexer Disk Usage and took this from another app to attempt to get it adding |eval _time=now()
| rest splunk_server="Indexer01" /services/server/status/partitions-space |eval _time=now()
| eval free = if(isnotnull(available), available, free)
| eval usage = round((capacity - free) / 1024, 2)
| eval capacity = round(capacity / 1024, 2)
| eval compare_usage = usage." / ".capacity
| eval pct_usage = round(usage / capacity * 100, 2)
| stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by mount_point
| eval OptMountUsage=(if(mount_point=="/opt/mount",pct_usage,NULL)), OptMountSplunkdata2Usage=(if(mount_point=="/opt/mount/splunkdata",pct_usage,NULL))
Is there any way of doing this and if so, what would the resulting search look like for the Base Search?
Many thanks as always
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello TheJagoff,
@dineshraj9 comment is great, here is how i slightly modified the search to give you the time field:
| rest splunk_server="*" /services/server/status/partitions-space
| eval _time=now()
| eval free = if(isnotnull(available), available, free)
| eval usage = round((capacity - free) / 1024, 2)
| eval capacity = round(capacity / 1024, 2)
| eval compare_usage = usage." / ".capacity
| eval pct_usage = round(usage / capacity * 100, 2)
| stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by mount_point _time
| eval OptMountUsage=(if(mount_point=="/opt/mount",pct_usage,NULL)), OptMountSplunkdata2Usage=(if(mount_point=="/opt/mount/splunkdata",pct_usage,NULL))
Added _time after the by clause in line 8
you can outputlookup or collect to summary and then run your base search against it.
however, this is a multi step process while the OS module for ITSI has this all pre-built in a much more efficient and clean way.
any reason not installing the TA for nix?
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello TheJagoff,
@dineshraj9 comment is great, here is how i slightly modified the search to give you the time field:
| rest splunk_server="*" /services/server/status/partitions-space
| eval _time=now()
| eval free = if(isnotnull(available), available, free)
| eval usage = round((capacity - free) / 1024, 2)
| eval capacity = round(capacity / 1024, 2)
| eval compare_usage = usage." / ".capacity
| eval pct_usage = round(usage / capacity * 100, 2)
| stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by mount_point _time
| eval OptMountUsage=(if(mount_point=="/opt/mount",pct_usage,NULL)), OptMountSplunkdata2Usage=(if(mount_point=="/opt/mount/splunkdata",pct_usage,NULL))
Added _time after the by clause in line 8
you can outputlookup or collect to summary and then run your base search against it.
however, this is a multi step process while the OS module for ITSI has this all pre-built in a much more efficient and clean way.
any reason not installing the TA for nix?
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After discussing this morning, they installed the App and Add-on for Unix/Nix this morning so it's all good either way.
Your modifications to the |rest statement works perfectly. Many thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are adding |eval _time=now() at the top and then performing a | stats function which is not having the _time field.
Try adding |eval _time=now() at the end.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
