How to dedup search to limit to 1 event per host p...

DamageSplunk · ‎06-13-2015

I'm using the winhostmon collection and I want to chart disk space usage over time. I have the collection set up to run once a day. The issue is that if splunk is restarted at any time, the collection runs again, producing more than one event per day and that skews the total per day. I've tried to limit the maxevents=1, but that doesn't seem to fix the problem and I'd prefer not to dedup based on host+Name+date. Is there a better way?

index=machine host=*hostfilter* sourcetype=winhostmon source=disk DriveType=fixed NOT Name="C:"
 | transaction host, TotalSpaceKB, FreeSpaceKB maxevents=1 maxspan=1d
 | eval gbtotal=(TotalSpaceKB/1024/1024/1024)
 | eval gbfree=(FreeSpaceKB/1024/1024/1024)
 | eval gbused=((TotalSpaceKB-FreeSpaceKB)/1024/1024/1024) 
 | timechart span=1d sum(gbtotal) as TotalSpaceTB, sum(gbfree) as TotalFreeTB

yannK · ‎06-13-2015

The dedup on host / date works.
another method is to get rid of the transaction and use a less costly stats with the function first() (firs is counter intuitive, means the last value of the period, as splunk search backward in time)

<mysearch> 
| bucket _time span=1d 
| stats first(TotalSpaceKB) AS TotalSpaceKB 
            first(FreeSpaceKB) AS FreeSpaceKB 
            by host  _time
| eval gbtotal=(TotalSpaceKB/1024/1024/1024)
| eval gbfree=(FreeSpaceKB/1024/1024/1024)
| eval gbused=((TotalSpaceKB-FreeSpaceKB)/1024/1024/1024) 
| timechart span=1d sum(gbtotal) as TotalSpaceTB, sum(gbfree) as TotalFreeTB

How to dedup search to limit to 1 event per host per day

Buttercup Games: Further Dashboarding Techniques (Part 3)

Digital Resilience Assessment Launch | How prepared are you for disruption?

Buttercup Games: Further Dashboarding Techniques (Part 2)