Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with temp tables and variables

AK89
Explorer
‎03-02-2022 06:14 PM

New to splunk and been struggling manipulating search results into a final result that I am looking for. In powershell where I'm familiar, I would just use a series of variables and return a final result set. I am trying to accomplish the below.

(each target_name has multiple disk_group)

1) i need to find the latest Usable_Free_GB for each disk_group in each target_name and sum them

Screenshot 2022-03-02 210151.png

2) i need to find the latest Usable_Total_GB for each disk_group in each target_name and sum them

Screenshot 2022-03-02 210209.png

I can get #1 and #2 in different searches, but am struggling to get them together to return a result set like this:

Target_Name UsableSpaceFree TotalUsableSpace
Target_Name1 123 456
Target_Name2 234 567

 

This is the closest I can get. But I need to only have 2 rows returned with all three fields populated 

 

Screenshot 2022-03-02 211537.png

Once I can get the result set grouped by Target_Name, I then need to use eval to create a new field like the below using the values from #1 and #2

 

eval percent_free=round((UsableSpaceFree/TotalUsableSpace)*100,2)

 

Target_Name UsableSpaceFree TotalUsableSpace percent_free
Target_Name1 123 456 ?
Target_Name2 234 567 ?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎03-02-2022 09:55 PM

Hey @AK89,

Can you try running the below query? I believe it should help you achieve your use case. You can use multiple latest functions and group by the target.

sourcetype=xyz (Disk_Group = "Data*")
| stats latest(Usable_Free_GB) as latestusable latest(Usable_Total_GB) as latesttotal by Target_Name Disk_Group
| stats sum(latestusable) as UsableFree sum(latesttotal) as UsableTotal by Target_Name
| eval percent_free = round(((UsableFree/UsableTotal)*100),2)
| table Target_Name UsableFree UsableTotal precent_free
---
If you find the answer helpful, an upvote/karma is appreciated

View solution in original post

Reply
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎03-02-2022 09:55 PM

Hey @AK89,

Can you try running the below query? I believe it should help you achieve your use case. You can use multiple latest functions and group by the target.

sourcetype=xyz (Disk_Group = "Data*")
| stats latest(Usable_Free_GB) as latestusable latest(Usable_Total_GB) as latesttotal by Target_Name Disk_Group
| stats sum(latestusable) as UsableFree sum(latesttotal) as UsableTotal by Target_Name
| eval percent_free = round(((UsableFree/UsableTotal)*100),2)
| table Target_Name UsableFree UsableTotal precent_free
---
If you find the answer helpful, an upvote/karma is appreciated
Reply
Solved! Jump to solution

AK89
Explorer
‎03-03-2022 05:10 AM

Thanks. I tried using multiple functions on same command but i must have been messing something up. Thanks for helping me with such a simple question! 

0 Karma
Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎03-02-2022 09:48 PM

Hi @AK89 

you can use multiple  funcation in same stats command 

sourcetype=xyz Disk_Group="*Data*"
| stats latest(Usable_Free_GB) as LatestUsable  latest(Usable_Total_GB) as LastestTotal  by Target_Name Disk_Group

| stats sum(LatestUsable) as UsableSpaceFree sum(LastestTotal) as TotalUsableSpace  count(eval(round((UsableSpaceFree/TotalUsableSpace)*100,2))) as percent_free by Target_Name 

Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
li.common.scroll-to.top