Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with temp tables and variables

AK89
Explorer
‎03-02-2022 06:14 PM

New to splunk and been struggling manipulating search results into a final result that I am looking for. In powershell where I'm familiar, I would just use a series of variables and return a final result set. I am trying to accomplish the below.

(each target_name has multiple disk_group)

1) i need to find the latest Usable_Free_GB for each disk_group in each target_name and sum them

Screenshot 2022-03-02 210151.png

2) i need to find the latest Usable_Total_GB for each disk_group in each target_name and sum them

Screenshot 2022-03-02 210209.png

I can get #1 and #2 in different searches, but am struggling to get them together to return a result set like this:

Target_Name UsableSpaceFree TotalUsableSpace
Target_Name1 123 456
Target_Name2 234 567

 

This is the closest I can get. But I need to only have 2 rows returned with all three fields populated 

 

Screenshot 2022-03-02 211537.png

Once I can get the result set grouped by Target_Name, I then need to use eval to create a new field like the below using the values from #1 and #2

 

eval percent_free=round((UsableSpaceFree/TotalUsableSpace)*100,2)

 

Target_Name UsableSpaceFree TotalUsableSpace percent_free
Target_Name1 123 456 ?
Target_Name2 234 567 ?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎03-02-2022 09:55 PM

Hey @AK89,

Can you try running the below query? I believe it should help you achieve your use case. You can use multiple latest functions and group by the target.

sourcetype=xyz (Disk_Group = "Data*")
| stats latest(Usable_Free_GB) as latestusable latest(Usable_Total_GB) as latesttotal by Target_Name Disk_Group
| stats sum(latestusable) as UsableFree sum(latesttotal) as UsableTotal by Target_Name
| eval percent_free = round(((UsableFree/UsableTotal)*100),2)
| table Target_Name UsableFree UsableTotal precent_free
---
If you find the answer helpful, an upvote/karma is appreciated

View solution in original post

Reply
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎03-02-2022 09:55 PM

Hey @AK89,

Can you try running the below query? I believe it should help you achieve your use case. You can use multiple latest functions and group by the target.

sourcetype=xyz (Disk_Group = "Data*")
| stats latest(Usable_Free_GB) as latestusable latest(Usable_Total_GB) as latesttotal by Target_Name Disk_Group
| stats sum(latestusable) as UsableFree sum(latesttotal) as UsableTotal by Target_Name
| eval percent_free = round(((UsableFree/UsableTotal)*100),2)
| table Target_Name UsableFree UsableTotal precent_free
---
If you find the answer helpful, an upvote/karma is appreciated
Reply
Solved! Jump to solution

AK89
Explorer
‎03-03-2022 05:10 AM

Thanks. I tried using multiple functions on same command but i must have been messing something up. Thanks for helping me with such a simple question! 

0 Karma
Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎03-02-2022 09:48 PM

Hi @AK89 

you can use multiple  funcation in same stats command 

sourcetype=xyz Disk_Group="*Data*"
| stats latest(Usable_Free_GB) as LatestUsable  latest(Usable_Total_GB) as LastestTotal  by Target_Name Disk_Group

| stats sum(LatestUsable) as UsableSpaceFree sum(LastestTotal) as TotalUsableSpace  count(eval(round((UsableSpaceFree/TotalUsableSpace)*100,2))) as percent_free by Target_Name 

Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...