Splunk Search

Newbie search question

chrismor
Explorer

The vmstat log entry looks like this (Edited for brevity):

memTotalMB  memFreeMB
       991        199

And if I have index=os sourcetype=vmstat I get all the relevant log events showing up. What I want to do is to show when memFreeMB drops below a threshold, so I had the command

index=os sourcetype=vmstat memfreemb < 200

But nothing passes the filter.

I can do:

index= os sourcetype=vmstat memfreemb

and get every relevant for the time window.

What did I do wrong?

Cheers,

Tags (1)

woodcock
Esteemed Legend

Field names are case-sensitive so the field name you gave does not exist; try this:

index=os sourcetype=vmstat memFreeMB< 200
0 Karma

Ron_Naken
Splunk Employee
Splunk Employee

You probably don't need the | convert. memFreeMB should resolve as a Numeric value. You can confirm this with something like | eval t=typeof(memFreeMB) | table t

0 Karma

chrismor
Explorer

I think I worked it out: index="os" sourcetype="vmstat" host=* | multikv fields memFreeMB | convert rmunit(memFreeMB) | search memFreeMB < 200 Any comments or recommendations on this now?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...