Splunk Search

Why it doesn't work ? 2 searchs joined and two different counters

henriq_c
Explorer

I want to do this but it doesn't work, why ? How can I fix this ?

 index=xxxx   eventtype="perfmon_windows" object="LogicalDisk" counter="% Free Space" host=cccc "instance=C:" 
    | eval percentfree = round((Value),4)

    | join 
    [search index=xxxx  eventtype="perfmon_windows" object="LogicalDisk" counter="Free Megabytes"
    | eval gfree = round(value/1000,2)
    | eval usedGb = round(percentused*gfree/percentfree,2)
    | eval totalgb = round(usedGb+gfree,2)]

after that i want to do a timechart :
| timechart span=1m eval(100 - round(latest(Value),4)) as usedGb by instance
Thank you

Tags (3)
0 Karma

woodcock
Esteemed Legend

Try this:

index=xxxx  AND eventtype="perfmon_windows" AND object="LogicalDisk" AND ((counter="% Free Space" AND host="cccc" AND "instance=C:") OR counter="Free Megabytes")
| dedup punct
| table "Free Megabytes" "% Free Space" value
| eval {counter} = value
| stats first("Free Megabytes") AS gfree first("% Free Space") AS percentfree
| eval percentfree = round((percentfree),4)
| eval gfree = round(gfree/1000,2)
| eval usedGb = round(percentused*gfree/percentfree,2)
| eval totalgb = round(usedGb+gfree,2)
| eval host="cccc"
0 Karma

jnudell_2
Builder

Hi @henriq_c ,
You search is a bit confusing. You're using a join to try and calculate percentused, when you can just use the first value to calculate it:

| eval percentused = round((100 - Value), 4)

So your search should look like:
index=xxxx   eventtype="perfmon_windows" object="LogicalDisk" counter="% Free Space" host=cccc instance="C:" 
| eval percentused = round((100 - Value), 4)
| timechart span=1m percentused by instance

If that's not what you're looking for, perhaps you could explain what you are trying to do more clearly.

Updated answer:

index=xxxx eventtype="perfmon_windows" object="LogicalDisk" (counter="% Free Space" host=cccc instance="C:") OR (counter="Free Megabytes" host=cccc instance="C:")
| eval percentfree = case( counter=="% Free Space", round(Value, 4) )
| eval gbfree = case( counter=="Free Megabytes", round(Value / 1000, 2) )
| stats latest(percentfree) as percentfree latest(gbfree) as gbfree by host instance
| eval gbused = round( ( gbfree / percentfree * 100 ), 2) - gbfree
| timechart span=1m gbused by instance

0 Karma

henriq_c
Explorer

oh my bad, look EDIT

0 Karma

jnudell_2
Builder

I see what you're trying to do now.

Try this:

index=xxxx eventtype="perfmon_windows" object="LogicalDisk" (counter="% Free Space" host=cccc instance="C:") OR (counter="Free Megabytes" host=cccc instance="C:")
| eval percentfree = case( counter=="% Free Space", round(Value, 4) )
| eval gbfree = case( counter=="Free Megabytes", round(Value / 1000, 2) )
| stats latest(percentfree) as percentfree latest(gbfree) as gbfree by host instance
| eval gbused = round( ( gbfree / percentfree * 100 ), 2) - gbfree
| timechart span=1m gbused by instance

0 Karma

henriq_c
Explorer

doesn't work, Error in 'timechart' command: The specifier 'gbused' is invalid. It must be in form (). For example: max(size).

0 Karma

henriq_c
Explorer

I did this and it works :
timechart span=1m eval(round(latest(gbfree),4) / round(latest(percentfree),4) * 100 - round(latest(gbfree),4))

In maths, it is the same : percentused*gfree/percentfree and gbfree / percentfree * 100 - gbfree ? no ?

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...