Splunk Search

Help on appendpipe

jip31
Motivator

Hi

I use the code below

In the case of no FreeSpace event exists, I would like to display the message "No disk pace events for this host" in my single panel

How doing this please?

 

 

 

 

 `diskspace` 
| fields FreeSpaceKB host 
| eval host=upper(host) 
| eval FreeSpace = FreeSpaceKB/1024 
| eval FreeSpace = round(FreeSpace/1024,1) 
| search host=$tok_filterhost$ 
| stats latest(FreeSpace) as FreeSpace by host 
| table FreeSpace 

 

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion
`diskspace` 
| fields FreeSpaceKB host 
| eval host=upper(host) 
| eval FreeSpace = FreeSpaceKB/1024 
| eval FreeSpace = round(FreeSpace/1024,1) 
| search host=$tok_filterhost$ 
| stats latest(FreeSpace) as FreeSpace by host 
| eval FreeSpace=FreeSpace."GB"
| table FreeSpace

and delete option.

View solution in original post

0 Karma

to4kawa
Ultra Champion

 

 `diskspace` 
| fields FreeSpaceKB host 
| eval host=upper(host) 
| eval FreeSpace = FreeSpaceKB/1024 
| eval FreeSpace = round(FreeSpace/1024,1) 
| search host=$tok_filterhost$ 
| stats latest(FreeSpace) as FreeSpace by host 
| table FreeSpace 
| appendpipe [|stats count
| eval FreeSpace="No disk pace events for this host"
| where count = 0 | table FreeSpace ]

 

There must have been something made by  @woodcock  about it before, but I've forgotten.

0 Karma

jip31
Motivator

Thanks, it works fine but ..

In my xml , i format my single value like this

<option name="unit">GB</option>

 So if "No disk space for this events" is true what is displayed is "No disk space for this events GB".....

0 Karma

to4kawa
Ultra Champion
`diskspace` 
| fields FreeSpaceKB host 
| eval host=upper(host) 
| eval FreeSpace = FreeSpaceKB/1024 
| eval FreeSpace = round(FreeSpace/1024,1) 
| search host=$tok_filterhost$ 
| stats latest(FreeSpace) as FreeSpace by host 
| eval FreeSpace=FreeSpace."GB"
| table FreeSpace

and delete option.

0 Karma

jip31
Motivator

it works but in this case I lost the color format vizualization I use 

 

ex : 0 to 32 : red color

32 to 50 : orange color

0 Karma

jip31
Motivator

Thanks Would you confirme that with this code the color palette will continue to work fine? ( i cant test ot today sorry)?

0 Karma

jip31
Motivator
Thanks Would you confirme that with this code the color palette will continue to work fine? ( i cant test ot today sorry)?
0 Karma

woodcock
Esteemed Legend

You've got it; that's the way to do it, but it was originally from @martin_mueller .

to4kawa
Ultra Champion

Every query has its own history. thanks @woodcock 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...