Splunk Search

Newbie search question

chrismor
Explorer

The vmstat log entry looks like this (Edited for brevity):

memTotalMB  memFreeMB
       991        199

And if I have index=os sourcetype=vmstat I get all the relevant log events showing up. What I want to do is to show when memFreeMB drops below a threshold, so I had the command

index=os sourcetype=vmstat memfreemb < 200

But nothing passes the filter.

I can do:

index= os sourcetype=vmstat memfreemb

and get every relevant for the time window.

What did I do wrong?

Cheers,

Tags (1)

woodcock
Esteemed Legend

Field names are case-sensitive so the field name you gave does not exist; try this:

index=os sourcetype=vmstat memFreeMB< 200
0 Karma

Ron_Naken
Splunk Employee
Splunk Employee

You probably don't need the | convert. memFreeMB should resolve as a Numeric value. You can confirm this with something like | eval t=typeof(memFreeMB) | table t

0 Karma

chrismor
Explorer

I think I worked it out: index="os" sourcetype="vmstat" host=* | multikv fields memFreeMB | convert rmunit(memFreeMB) | search memFreeMB < 200 Any comments or recommendations on this now?

0 Karma
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...