I want to do this but it doesn't work, why ? How can I fix this ?
index=xxxx eventtype="perfmon_windows" object="LogicalDisk" counter="% Free Space" host=cccc "instance=C:"
| eval percentfree = round((Value),4)
| join
[search index=xxxx eventtype="perfmon_windows" object="LogicalDisk" counter="Free Megabytes"
| eval gfree = round(value/1000,2)
| eval usedGb = round(percentused*gfree/percentfree,2)
| eval totalgb = round(usedGb+gfree,2)]
after that i want to do a timechart :
| timechart span=1m eval(100 - round(latest(Value),4)) as usedGb by instance
Thank you
Try this:
index=xxxx AND eventtype="perfmon_windows" AND object="LogicalDisk" AND ((counter="% Free Space" AND host="cccc" AND "instance=C:") OR counter="Free Megabytes")
| dedup punct
| table "Free Megabytes" "% Free Space" value
| eval {counter} = value
| stats first("Free Megabytes") AS gfree first("% Free Space") AS percentfree
| eval percentfree = round((percentfree),4)
| eval gfree = round(gfree/1000,2)
| eval usedGb = round(percentused*gfree/percentfree,2)
| eval totalgb = round(usedGb+gfree,2)
| eval host="cccc"
Hi @henriq_c ,
You search is a bit confusing. You're using a join to try and calculate percentused, when you can just use the first value to calculate it:
| eval percentused = round((100 - Value), 4)
index=xxxx eventtype="perfmon_windows" object="LogicalDisk" counter="% Free Space" host=cccc instance="C:"
| eval percentused = round((100 - Value), 4)
| timechart span=1m percentused by instance
If that's not what you're looking for, perhaps you could explain what you are trying to do more clearly.
Updated answer:
index=xxxx eventtype="perfmon_windows" object="LogicalDisk" (counter="% Free Space" host=cccc instance="C:") OR (counter="Free Megabytes" host=cccc instance="C:")
| eval percentfree = case( counter=="% Free Space", round(Value, 4) )
| eval gbfree = case( counter=="Free Megabytes", round(Value / 1000, 2) )
| stats latest(percentfree) as percentfree latest(gbfree) as gbfree by host instance
| eval gbused = round( ( gbfree / percentfree * 100 ), 2) - gbfree
| timechart span=1m gbused by instance
oh my bad, look EDIT
I see what you're trying to do now.
Try this:
index=xxxx eventtype="perfmon_windows" object="LogicalDisk" (counter="% Free Space" host=cccc instance="C:") OR (counter="Free Megabytes" host=cccc instance="C:")
| eval percentfree = case( counter=="% Free Space", round(Value, 4) )
| eval gbfree = case( counter=="Free Megabytes", round(Value / 1000, 2) )
| stats latest(percentfree) as percentfree latest(gbfree) as gbfree by host instance
| eval gbused = round( ( gbfree / percentfree * 100 ), 2) - gbfree
| timechart span=1m gbused by instance
doesn't work, Error in 'timechart' command: The specifier 'gbused' is invalid. It must be in form (). For example: max(size).
I did this and it works :
timechart span=1m eval(round(latest(gbfree),4) / round(latest(percentfree),4) * 100 - round(latest(gbfree),4))
In maths, it is the same : percentused*gfree/percentfree and gbfree / percentfree * 100 - gbfree ? no ?