Splunk Search

Help on appendpipe

Contributor

Hi

I use the code below

In the case of no FreeSpace event exists, I would like to display the message "No disk pace events for this host" in my single panel

How doing this please?

 

 

 

 

 `diskspace` 
| fields FreeSpaceKB host 
| eval host=upper(host) 
| eval FreeSpace = FreeSpaceKB/1024 
| eval FreeSpace = round(FreeSpace/1024,1) 
| search host=$tok_filterhost$ 
| stats latest(FreeSpace) as FreeSpace by host 
| table FreeSpace 

 

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust
`diskspace` 
| fields FreeSpaceKB host 
| eval host=upper(host) 
| eval FreeSpace = FreeSpaceKB/1024 
| eval FreeSpace = round(FreeSpace/1024,1) 
| search host=$tok_filterhost$ 
| stats latest(FreeSpace) as FreeSpace by host 
| eval FreeSpace=FreeSpace."GB"
| table FreeSpace

and delete option.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

 

 `diskspace` 
| fields FreeSpaceKB host 
| eval host=upper(host) 
| eval FreeSpace = FreeSpaceKB/1024 
| eval FreeSpace = round(FreeSpace/1024,1) 
| search host=$tok_filterhost$ 
| stats latest(FreeSpace) as FreeSpace by host 
| table FreeSpace 
| appendpipe [|stats count
| eval FreeSpace="No disk pace events for this host"
| where count = 0 | table FreeSpace ]

 

There must have been something made by  @woodcock  about it before, but I've forgotten.

0 Karma

Contributor

Thanks, it works fine but ..

In my xml , i format my single value like this

<option name="unit">GB</option>

 So if "No disk space for this events" is true what is displayed is "No disk space for this events GB".....

0 Karma

SplunkTrust
SplunkTrust
`diskspace` 
| fields FreeSpaceKB host 
| eval host=upper(host) 
| eval FreeSpace = FreeSpaceKB/1024 
| eval FreeSpace = round(FreeSpace/1024,1) 
| search host=$tok_filterhost$ 
| stats latest(FreeSpace) as FreeSpace by host 
| eval FreeSpace=FreeSpace."GB"
| table FreeSpace

and delete option.

View solution in original post

0 Karma

Contributor

it works but in this case I lost the color format vizualization I use 

 

ex : 0 to 32 : red color

32 to 50 : orange color

0 Karma

Contributor

Thanks Would you confirme that with this code the color palette will continue to work fine? ( i cant test ot today sorry)?

0 Karma

Contributor
Thanks Would you confirme that with this code the color palette will continue to work fine? ( i cant test ot today sorry)?
0 Karma

Esteemed Legend

You've got it; that's the way to do it, but it was originally from @martin_mueller .

SplunkTrust
SplunkTrust

Every query has its own history. thanks @woodcock 

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!