- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Sub Search failing due to return with no items
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sub Search failing due to return with no items
I am very close but need some assistance. I am attempting to create an alert based upon the criteria "Free Megabytes"<6000 AND "% Free Space" <10. I have that logic working below...
sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="% Free Space" Value<20 [ search host=* sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="Free Megabytes" Value<6000 | return 1000 host ]
The above code works as long as there is a hit for the Free Megabytes < 6000. However if there are no hits, no host is returned to the % Free Space so it show all hosts that meet that critera. How can this be adapted so that no hosts returned doesn't result in further query? I am guessing eval, but my Splunk-fu is weak.
Any help is appreciated but actual code would be most helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this on pre-8.1 Splunk
sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="% Free Space" Value<20
[ search host=* sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="Free Megabytes" Value<6000
| return 1000 host
| appendpipe [ stats count | eval host="something that will never match" | where count==0 | fields - count ] ]and try this on Splunk 8.1
sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="% Free Space" Value<20
[ search host=* sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="Free Megabytes" Value<6000
| return 1000 host
| require ]If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much. We are on 8.1, so I read up on the REQUIRE command.
I am seeing something very strange so maybe there is something else going on.
search host=* sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="Free Megabytes" Value<6000
| return 1000 host
| appendpipe [ stats count | eval host="something that will never match" | where count==0 | fields - count ]
When I run the search above and when I run the 8.1 version with Require I get no returned items. As I would expect. However, if I change Value<6000 to Value<2000, I get incorrect results. I don't understand how this can be because if it is less than 6000, it is also less than 2000. Any ideas of what could be causing this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me be more clear...
When I run...
sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="% Free Space" Value<20
[ search host=* sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="Free Megabytes" Value<6000
| return 1000 host
| require ]I get ZERO events, which is expected.
However, if I change the 6000 to a 2000, I get events returned.
To further diagnose, here is what I am seeing...
If I run the subsearch...
host=* sourcetype="Perfmon:Free Disk Space" instance!=HarddiskVolume* instance!=_Total counter="Free Megabytes" Value<6000
| return 1000 host
| requireI get servers returned.
If I change to 2000, no servers returned.
Therefore, it seems something in the first part is not handling correctly when no servers are returned.
NOTE: I used the other (pre-8.1 logic) and it exhibits the exact same returns.
It appears with no returns from the subsearch, the first search is running against all servers. I need the first search to fail if the subsearch returns nothing (which it seems is what the require command is suppost to do).
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"if it is less than 6000, it is also less than 2000" ? 5999 is less than 6000 but it isn't less than 2000!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you even look at the code or what I am saying? The query for less than 6000 returned nothing, but the query for less than 2000 retuned items. Helpful responses are appreciated.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
