Newbie search question

chrismor · ‎02-13-2011

The vmstat log entry looks like this (Edited for brevity):

memTotalMB  memFreeMB
       991        199

And if I have index=os sourcetype=vmstat I get all the relevant log events showing up. What I want to do is to show when memFreeMB drops below a threshold, so I had the command

index=os sourcetype=vmstat memfreemb < 200

But nothing passes the filter.

I can do:

index= os sourcetype=vmstat memfreemb

and get every relevant for the time window.

What did I do wrong?

Cheers,

woodcock · ‎05-27-2015

Field names are case-sensitive so the field name you gave does not exist; try this:

index=os sourcetype=vmstat memFreeMB< 200

Ron_Naken · ‎02-14-2011

You probably don't need the | convert. memFreeMB should resolve as a Numeric value. You can confirm this with something like | eval t=typeof(memFreeMB) | table t

chrismor · ‎02-14-2011

I think I worked it out: index="os" sourcetype="vmstat" host=* | multikv fields memFreeMB | convert rmunit(memFreeMB) | search memFreeMB < 200 Any comments or recommendations on this now?

Newbie search question

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Newbie search question

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem