Re: Newbie search question

chrismor · ‎02-13-2011

The vmstat log entry looks like this (Edited for brevity):

memTotalMB  memFreeMB
       991        199

And if I have index=os sourcetype=vmstat I get all the relevant log events showing up. What I want to do is to show when memFreeMB drops below a threshold, so I had the command

index=os sourcetype=vmstat memfreemb < 200

But nothing passes the filter.

I can do:

index= os sourcetype=vmstat memfreemb

and get every relevant for the time window.

What did I do wrong?

Cheers,

woodcock · ‎05-27-2015

Field names are case-sensitive so the field name you gave does not exist; try this:

index=os sourcetype=vmstat memFreeMB< 200

Ron_Naken · ‎02-14-2011

You probably don't need the | convert. memFreeMB should resolve as a Numeric value. You can confirm this with something like | eval t=typeof(memFreeMB) | table t

chrismor · ‎02-14-2011

I think I worked it out: index="os" sourcetype="vmstat" host=* | multikv fields memFreeMB | convert rmunit(memFreeMB) | search memFreeMB < 200 Any comments or recommendations on this now?

Newbie search question

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!