The vmstat log entry looks like this (Edited for brevity):
memTotalMB memFreeMB
991 199
And if I have index=os sourcetype=vmstat I get all the relevant log events showing up. What I want to do is to show when memFreeMB drops below a threshold, so I had the command
index=os sourcetype=vmstat memfreemb < 200
But nothing passes the filter.
I can do:
index= os sourcetype=vmstat memfreemb
and get every relevant for the time window.
What did I do wrong?
Cheers,
Field names are case-sensitive so the field name you gave does not exist; try this:
index=os sourcetype=vmstat memFreeMB< 200
You probably don't need the | convert. memFreeMB should resolve as a Numeric value. You can confirm this with something like | eval t=typeof(memFreeMB) | table t
I think I worked it out: index="os" sourcetype="vmstat" host=* | multikv fields memFreeMB | convert rmunit(memFreeMB) | search memFreeMB < 200 Any comments or recommendations on this now?