Splunk Search

How to combine 2 searches to get show values and percentage of host and instance fields?

shreyasathavale
Communicator

Hi,

I have 2 searches, for 1st output is values (2GB) and other gives output as percent (2%) .

index=windows sourcetype="Perfmon:Free Disk Space" role=ABC  counter="Free Megabytes"  instance!=_Total| eval Value=(Value/1024)|eval Value= round(Value,2)|chart values(Value) by host, instance

index=windows sourcetype="Perfmon:Free Disk Space" role=ABC   counter="% Free Space" instance!=_Total|eval Value= round(Value,2)|chart values(Value)  by  host,instance

I want output to show values as well as percent for the host and instance (C/D)...
Any ideas will be appreciated 🙂

Thanks

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

hi shreyasathavale,
try something like this:

index=windows sourcetype="Perfmon:Free Disk Space" role=ABC counter="Free Megabytes" instance!=_Total 
| eval Value=round(Value/1024,2)
| stats values(Value) AS "Free Megabytes" by host, instance
| append [ search 
   index=windows sourcetype="Perfmon:Free Disk Space" role=ABC counter="% Free Space" instance!=_Total 
   | eval Value=round(Value,2)
   | stats values(Value) AS "% Free Space" by host, instance
   ]
| stats values("Free Megabytes") AS "Free Megabytes" values("% Free Space") AS "% Free Space" by host, instance

Bye.
Giuseppe

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

index=windows sourcetype="Perfmon:Free Disk Space" role=ABC  (counter="Free Megabytes" OR counter="% Free Space")  instance!=_Total
| eval Value=if((counter="Free Megabytes", Value/1024, round(Value,2)) | chart values(Value) by host, instance
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this.

index=windows sourcetype="Perfmon:Free Disk Space" role=ABC counter="Free Megabytes" OR counter="% Free Space" instance!=_Total|eval Value= round(Value/1024,2) | eval instance=instance.":".counter|chart values(Value) by host, instance
0 Karma

cmerriman
Super Champion

you could do:

index=windows sourcetype="Perfmon:Free Disk Space" role=ABC counter="Free Megabytes" instance!=_Total| eval Value=(Value/1024)|eval Value= round(Value,2)|chart values(Value) by host, instance|join type=left host [search index=windows sourcetype="Perfmon:Free Disk Space" role=ABC counter="% Free Space" instance!=_Total|eval Value= round(Value,2)|chart values(Value) by host,instance]

but that has limitations with the join, or you could try this:

index=windows sourcetype="Perfmon:Free Disk Space" role=ABC (counter="Free Megabytes" OR counter="% Free Space") instance!=_Total    |eval Value=if(counter="Free Megabytes",round((Value/1024),2),round(Value,2))
|chart values(Value) by host, instance
0 Karma

gcusello
SplunkTrust
SplunkTrust

hi shreyasathavale,
try something like this:

index=windows sourcetype="Perfmon:Free Disk Space" role=ABC counter="Free Megabytes" instance!=_Total 
| eval Value=round(Value/1024,2)
| stats values(Value) AS "Free Megabytes" by host, instance
| append [ search 
   index=windows sourcetype="Perfmon:Free Disk Space" role=ABC counter="% Free Space" instance!=_Total 
   | eval Value=round(Value,2)
   | stats values(Value) AS "% Free Space" by host, instance
   ]
| stats values("Free Megabytes") AS "Free Megabytes" values("% Free Space") AS "% Free Space" by host, instance

Bye.
Giuseppe

0 Karma

shreyasathavale
Communicator

Thanks Guiseppe, I was going for "join" but append is anytime better 🙂

0 Karma

woodcock
Esteemed Legend

The append command has the same downsides as join does. Did you try any of the answers that do not use either?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...