Splunk Search
Highlighted

How to search result in data and put it in a table

Path Finder

I need to create a table from the results in the query below. where the utilization is greater than or equal to .7.

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated =  round((vmdkallocated/free*100),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|where utilization>=.7|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization

Please feel free to rewrite my code, I know its not efficient or pretty. I'm still learning splunk.

0 Karma
Highlighted

Re: How to search result in data and put it in a table

Motivator

what's the problem you're trying to have solve? Isn't this working?

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to search result in data and put it in a table

Path Finder

I for some reason can't get only the values that are above .7 to display in the table, if I run it like this I get over 1000 results. I'm trying to use this to create an alert that will be distributed via email to the rest of the guys I work with. I need to cut that down to only the results that are greater than or equal to .7

0 Karma
Highlighted

Re: How to search result in data and put it in a table

Motivator

try removing the |whereand check the final table for the utilisation values. if all seems ok and you're able to find utilization greater than 0.7 (also try using the 0 before the . ) add the |where after the |table . If this still does not work, replace the |where with |search

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to search result in data and put it in a table

Motivator

If this post solved you problem please mark it as an answer. Thanks

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to search result in data and put it in a table

Path Finder

This worked thank you

index=test cluster="*"| bin time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval overallocated = round((vmdkallocated/free),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup time cluster|table _time cluster capacity free garbage vmdkallocated vmdkused overallocated utilization|where utilization>=0.75|sort -utilization

View solution in original post

0 Karma