Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with temp tables and variables

AK89
Explorer
‎03-02-2022 06:14 PM

New to splunk and been struggling manipulating search results into a final result that I am looking for. In powershell where I'm familiar, I would just use a series of variables and return a final result set. I am trying to accomplish the below.

(each target_name has multiple disk_group)

1) i need to find the latest Usable_Free_GB for each disk_group in each target_name and sum them

Screenshot 2022-03-02 210151.png

2) i need to find the latest Usable_Total_GB for each disk_group in each target_name and sum them

Screenshot 2022-03-02 210209.png

I can get #1 and #2 in different searches, but am struggling to get them together to return a result set like this:

Target_Name UsableSpaceFree TotalUsableSpace
Target_Name1 123 456
Target_Name2 234 567

 

This is the closest I can get. But I need to only have 2 rows returned with all three fields populated 

 

Screenshot 2022-03-02 211537.png

Once I can get the result set grouped by Target_Name, I then need to use eval to create a new field like the below using the values from #1 and #2

 

eval percent_free=round((UsableSpaceFree/TotalUsableSpace)*100,2)

 

Target_Name UsableSpaceFree TotalUsableSpace percent_free
Target_Name1 123 456 ?
Target_Name2 234 567 ?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎03-02-2022 09:55 PM

Hey @AK89,

Can you try running the below query? I believe it should help you achieve your use case. You can use multiple latest functions and group by the target.

sourcetype=xyz (Disk_Group = "Data*")
| stats latest(Usable_Free_GB) as latestusable latest(Usable_Total_GB) as latesttotal by Target_Name Disk_Group
| stats sum(latestusable) as UsableFree sum(latesttotal) as UsableTotal by Target_Name
| eval percent_free = round(((UsableFree/UsableTotal)*100),2)
| table Target_Name UsableFree UsableTotal precent_free
---
If you find the answer helpful, an upvote/karma is appreciated

View solution in original post

Reply
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎03-02-2022 09:55 PM

Hey @AK89,

Can you try running the below query? I believe it should help you achieve your use case. You can use multiple latest functions and group by the target.

sourcetype=xyz (Disk_Group = "Data*")
| stats latest(Usable_Free_GB) as latestusable latest(Usable_Total_GB) as latesttotal by Target_Name Disk_Group
| stats sum(latestusable) as UsableFree sum(latesttotal) as UsableTotal by Target_Name
| eval percent_free = round(((UsableFree/UsableTotal)*100),2)
| table Target_Name UsableFree UsableTotal precent_free
---
If you find the answer helpful, an upvote/karma is appreciated
Reply
Solved! Jump to solution

AK89
Explorer
‎03-03-2022 05:10 AM

Thanks. I tried using multiple functions on same command but i must have been messing something up. Thanks for helping me with such a simple question! 

0 Karma
Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎03-02-2022 09:48 PM

Hi @AK89 

you can use multiple  funcation in same stats command 

sourcetype=xyz Disk_Group="*Data*"
| stats latest(Usable_Free_GB) as LatestUsable  latest(Usable_Total_GB) as LastestTotal  by Target_Name Disk_Group

| stats sum(LatestUsable) as UsableSpaceFree sum(LastestTotal) as TotalUsableSpace  count(eval(round((UsableSpaceFree/TotalUsableSpace)*100,2))) as percent_free by Target_Name 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...