Splunk Search

Why it doesn't work ? 2 searchs joined and two different counters

henriq_c
Explorer

I want to do this but it doesn't work, why ? How can I fix this ?

 index=xxxx   eventtype="perfmon_windows" object="LogicalDisk" counter="% Free Space" host=cccc "instance=C:" 
    | eval percentfree = round((Value),4)

    | join 
    [search index=xxxx  eventtype="perfmon_windows" object="LogicalDisk" counter="Free Megabytes"
    | eval gfree = round(value/1000,2)
    | eval usedGb = round(percentused*gfree/percentfree,2)
    | eval totalgb = round(usedGb+gfree,2)]

after that i want to do a timechart :
| timechart span=1m eval(100 - round(latest(Value),4)) as usedGb by instance
Thank you

Tags (3)
0 Karma

woodcock
Esteemed Legend

Try this:

index=xxxx  AND eventtype="perfmon_windows" AND object="LogicalDisk" AND ((counter="% Free Space" AND host="cccc" AND "instance=C:") OR counter="Free Megabytes")
| dedup punct
| table "Free Megabytes" "% Free Space" value
| eval {counter} = value
| stats first("Free Megabytes") AS gfree first("% Free Space") AS percentfree
| eval percentfree = round((percentfree),4)
| eval gfree = round(gfree/1000,2)
| eval usedGb = round(percentused*gfree/percentfree,2)
| eval totalgb = round(usedGb+gfree,2)
| eval host="cccc"
0 Karma

jnudell_2
Builder

Hi @henriq_c ,
You search is a bit confusing. You're using a join to try and calculate percentused, when you can just use the first value to calculate it:

| eval percentused = round((100 - Value), 4)

So your search should look like:
index=xxxx   eventtype="perfmon_windows" object="LogicalDisk" counter="% Free Space" host=cccc instance="C:" 
| eval percentused = round((100 - Value), 4)
| timechart span=1m percentused by instance

If that's not what you're looking for, perhaps you could explain what you are trying to do more clearly.

Updated answer:

index=xxxx eventtype="perfmon_windows" object="LogicalDisk" (counter="% Free Space" host=cccc instance="C:") OR (counter="Free Megabytes" host=cccc instance="C:")
| eval percentfree = case( counter=="% Free Space", round(Value, 4) )
| eval gbfree = case( counter=="Free Megabytes", round(Value / 1000, 2) )
| stats latest(percentfree) as percentfree latest(gbfree) as gbfree by host instance
| eval gbused = round( ( gbfree / percentfree * 100 ), 2) - gbfree
| timechart span=1m gbused by instance

0 Karma

henriq_c
Explorer

oh my bad, look EDIT

0 Karma

jnudell_2
Builder

I see what you're trying to do now.

Try this:

index=xxxx eventtype="perfmon_windows" object="LogicalDisk" (counter="% Free Space" host=cccc instance="C:") OR (counter="Free Megabytes" host=cccc instance="C:")
| eval percentfree = case( counter=="% Free Space", round(Value, 4) )
| eval gbfree = case( counter=="Free Megabytes", round(Value / 1000, 2) )
| stats latest(percentfree) as percentfree latest(gbfree) as gbfree by host instance
| eval gbused = round( ( gbfree / percentfree * 100 ), 2) - gbfree
| timechart span=1m gbused by instance

0 Karma

henriq_c
Explorer

doesn't work, Error in 'timechart' command: The specifier 'gbused' is invalid. It must be in form (). For example: max(size).

0 Karma

henriq_c
Explorer

I did this and it works :
timechart span=1m eval(round(latest(gbfree),4) / round(latest(percentfree),4) * 100 - round(latest(gbfree),4))

In maths, it is the same : percentused*gfree/percentfree and gbfree / percentfree * 100 - gbfree ? no ?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...