Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to limit the results to UP TO 3 per host?

thebankitgui
Path Finder
‎06-23-2023 12:02 PM

Good Afternoon,

I have a query to get disk space from servers. Each server has between 1 and 3 drives. My query will output a list of all Hosts, Drives, Times and Free Space % but the results are for the last minute and show all results for each host in that minute (several each). Is there a way to limit the results to UP TO 3 per host? If I "dedup 3" it creates 3 for the hosts that have 1 or 2 drives. Thank you!

 

 

(index=main) sourcetype=perfmon:LogicalDisk instance!=_Total instance!=Harddisk* | eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),Free_Megabytes), FreePct-{instance}=storage_free_percent,FreeMB-{instance}=Free_Megabytes| search counter="% Free Space" | eval Time=strftime (_time,"%Y-%m-%d %H:%M:%S") | table Time, host, instance, Value | eval Value=round(Value,0) | rename Value AS "Free%" | rename instance AS "Drive" | rename host AS "Host"

 

 

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-23-2023 06:09 PM

Give this a try:

(index=main) sourcetype=perfmon:LogicalDisk instance!=_Total instance!=Harddisk*
| eval FreePct-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(),true(),storage_free_percent), FreeMB-Other=case( match (instance, "C:"), null(), match(instance,"D:"), null(), true(),Free_Megabytes), FreePct-{instance}=storage_free_percent,FreeMB-{instance}=Free_Megabytes
| search counter="% Free Space" ``` why is this not in the index search? ```
| eval data=strftime (_time,"%Y-%m-%d %H:%M:%S") . "|" . instance . "|" Value
| stats values(data) as data by host
| mvexpand data
| tail 3
| eval data = split(data, "|")
| eval Time = mvindex(data, 0), Drive = mvindex(data, 1), "Free%" = mvindex(data, 2)
| rename host AS "Host"
0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...