Splunk Search

How to search result in data and put it in a table

codedtech
Path Finder

I need to create a table from the results in the query below. where the utilization is greater than or equal to .7.

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated =  round((vmdkallocated/free*100),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|where utilization>=.7|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization

Please feel free to rewrite my code, I know its not efficient or pretty. I'm still learning splunk.

0 Karma
1 Solution

codedtech
Path Finder

This worked thank you

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated = round((vmdkallocated/free),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization|where utilization>=0.75|sort -utilization

View solution in original post

0 Karma

codedtech
Path Finder

This worked thank you

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated = round((vmdkallocated/free),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization|where utilization>=0.75|sort -utilization

0 Karma

diogofgm
SplunkTrust
SplunkTrust

try removing the |whereand check the final table for the utilisation values. if all seems ok and you're able to find utilization greater than 0.7 (also try using the 0 before the . ) add the |where after the |table . If this still does not work, replace the |where with |search

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

diogofgm
SplunkTrust
SplunkTrust

If this post solved you problem please mark it as an answer. Thanks

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

codedtech
Path Finder

I for some reason can't get only the values that are above .7 to display in the table, if I run it like this I get over 1000 results. I'm trying to use this to create an alert that will be distributed via email to the rest of the guys I work with. I need to cut that down to only the results that are greater than or equal to .7

0 Karma

diogofgm
SplunkTrust
SplunkTrust

what's the problem you're trying to have solve? Isn't this working?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Tech Talk | Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...

Thank You for Celebrating CX Day with Splunk!

Yesterday the entire team at Splunk + Cisco joined the global celebration of CX Day - celebrating our ...