Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I create a chart using the value for each drive in my sample data?

andrei1bc
Communicator
‎12-11-2015 02:35 AM

Hello

I have the following event. Is there any way to create a chart using the value for each drive? Thank you in advance.

Collection = WindowsHDD 
Counter = Drive C:
Value =  49.89 GB

Collection = WindowsHDD 
Counter = Drive D:
Value =  1,451.76 GB
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎12-11-2015 06:24 AM

Sorry for multiple edits, I forgot angle brackets get eaten sometimes by the inline code tags so I converted one to an ugly code block.

One way would be to use Regex to create a tiny bit of structure. If I'm reading this right, at the moment your problem is that though you may have fields named "counter" and "value", you can't actually correlate which counter goes with which value. So, let's create a few variables.

I'll show you a sort of brute force way because it's more clear. Don't be scared by the rex, I'll explain in a bit.

...my search that returns the above events... | rex field=_raw "(?m)Drive\s+C:\s+Value\s+=\s+(?<c_drive>[^ ]+)"

The string for the rex says...
(?m) - search across multiple lines
Drive - find the exact string Drive
\s+ - followed by one or more spaces or other whitespace characters
C:\s+Value\s+=\s+ More strings and spaces in a certain order
(?...) These indicate I'm creating a new field out of the next things I specify

<c_drive>  ( Name whatever I find as the fieldname c_drive)

[^ ]+ The plus says to match one or more of the items inside the brackets, EXCEPT the first character inside the bracket is ^ which means NOT. So what it's actually saying is to match one or more non-space characters, so it'll then grab 49.49 or whatever up to the next space.

You can repeat the entire thing changing a few small variables and create a second rex for d_drive.

...my search that returns the above events... 
| rex field=_raw "(?m)Drive\s+C:\s+Value\s+=\s+(?<c_drive>[^ ]+)"
| rex field=_raw "(?m)Drive\s+D:\s+Value\s+=\s+(?<d_drive>[^ ]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎12-11-2015 06:24 AM

Sorry for multiple edits, I forgot angle brackets get eaten sometimes by the inline code tags so I converted one to an ugly code block.

One way would be to use Regex to create a tiny bit of structure. If I'm reading this right, at the moment your problem is that though you may have fields named "counter" and "value", you can't actually correlate which counter goes with which value. So, let's create a few variables.

I'll show you a sort of brute force way because it's more clear. Don't be scared by the rex, I'll explain in a bit.

...my search that returns the above events... | rex field=_raw "(?m)Drive\s+C:\s+Value\s+=\s+(?<c_drive>[^ ]+)"

The string for the rex says...
(?m) - search across multiple lines
Drive - find the exact string Drive
\s+ - followed by one or more spaces or other whitespace characters
C:\s+Value\s+=\s+ More strings and spaces in a certain order
(?...) These indicate I'm creating a new field out of the next things I specify

<c_drive>  ( Name whatever I find as the fieldname c_drive)

[^ ]+ The plus says to match one or more of the items inside the brackets, EXCEPT the first character inside the bracket is ^ which means NOT. So what it's actually saying is to match one or more non-space characters, so it'll then grab 49.49 or whatever up to the next space.

You can repeat the entire thing changing a few small variables and create a second rex for d_drive.

...my search that returns the above events... 
| rex field=_raw "(?m)Drive\s+C:\s+Value\s+=\s+(?<c_drive>[^ ]+)"
| rex field=_raw "(?m)Drive\s+D:\s+Value\s+=\s+(?<d_drive>[^ ]+)"
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...