Newbie search question

chrismor · ‎02-13-2011

The vmstat log entry looks like this (Edited for brevity):

memTotalMB  memFreeMB
       991        199

And if I have index=os sourcetype=vmstat I get all the relevant log events showing up. What I want to do is to show when memFreeMB drops below a threshold, so I had the command

index=os sourcetype=vmstat memfreemb < 200

But nothing passes the filter.

I can do:

index= os sourcetype=vmstat memfreemb

and get every relevant for the time window.

What did I do wrong?

Cheers,

woodcock · ‎05-27-2015

Field names are case-sensitive so the field name you gave does not exist; try this:

index=os sourcetype=vmstat memFreeMB< 200

Ron_Naken · ‎02-14-2011

You probably don't need the | convert. memFreeMB should resolve as a Numeric value. You can confirm this with something like | eval t=typeof(memFreeMB) | table t

chrismor · ‎02-14-2011

I think I worked it out: index="os" sourcetype="vmstat" host=* | multikv fields memFreeMB | convert rmunit(memFreeMB) | search memFreeMB < 200 Any comments or recommendations on this now?

Newbie search question

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Newbie search question

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future