Solved: Re: How to search result in data and put it in a t...

codedtech · ‎08-28-2019

I need to create a table from the results in the query below. where the utilization is greater than or equal to .7.

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated =  round((vmdkallocated/free*100),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|where utilization>=.7|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization

Please feel free to rewrite my code, I know its not efficient or pretty. I'm still learning splunk.

codedtech · ‎08-29-2019

This worked thank you

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated = round((vmdkallocated/free),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization|where utilization>=0.75|sort -utilization

View solution in original post

codedtech · ‎08-29-2019

This worked thank you

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated = round((vmdkallocated/free),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization|where utilization>=0.75|sort -utilization

diogofgm · ‎08-28-2019

try removing the |whereand check the final table for the utilisation values. if all seems ok and you're able to find utilization greater than 0.7 (also try using the 0 before the . ) add the |where after the |table . If this still does not work, replace the |where with |search

------------
Hope I was able to help you. If so, some karma would be appreciated.

diogofgm · ‎08-29-2019

If this post solved you problem please mark it as an answer. Thanks

------------
Hope I was able to help you. If so, some karma would be appreciated.

codedtech · ‎08-28-2019

I for some reason can't get only the values that are above .7 to display in the table, if I run it like this I get over 1000 results. I'm trying to use this to create an alert that will be distributed via email to the rest of the guys I work with. I need to cut that down to only the results that are greater than or equal to .7

diogofgm · ‎08-28-2019

what's the problem you're trying to have solve? Isn't this working?

------------
Hope I was able to help you. If so, some karma would be appreciated.

How to search result in data and put it in a table

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup