- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: subsearch question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cannot get results from query using subsearch. I would like to compare the previous percentage of used space with the current percentage of used space. My subsearch looks at the current percentage of usage and should run first. That should be returning 51 (I'm converting the percentage into a numeric number in each query) which right now matches the previous percentage of space used so I am expecting results but getting none. There is only 1 result every 15 minutes.
earliest=-30m latest=-15m index=123456 sourcetype=abcdefg filer=higklmn name="opqrstuv"
| convert num(usedPercent) as pastPercent
| SEARCH pastPercent=currentPercent
[ SEARCH earliest=-15m latest=now index=123456 sourcetype=abcdefg filer=higklmn name="opqrstuv"
|convert num(usedPercent) as currentPercent
| table currentPercent | return currentPercent ]
Any help would be appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this (should perform better than subsearch method)
earliest=-30m latest=now index=123456 sourcetype=abcdefg filer=higklmn name="opqrstuv"
| eval period=if(_time>relative_time(now(),"-15m"),"current","past")
| chart max(usedPercent) over index by period | where current=past
Just to explain, your subsearch syntax was wrong. You should be doing like this
earliest=-30m latest=-15m index=123456 sourcetype=abcdefg filer=higklmn name="opqrstuv"
| convert num(usedPercent) as pastPercent
| where pastPercent=[ SEARCH earliest=-15m latest=now index=123456 sourcetype=abcdefg filer=higklmn name="opqrstuv"
|convert num(usedPercent) as query
| table query ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
earliest=-30m@m latest=@m index=123456 sourcetype=abcdefg filer=higklmn name="opqrstuv"
| convert num(usedPercent) as pastPercent
| eval TimeFrame=if(_time>relative_time(now(),"-15m@m"),"Current","Previous")
| stats latest(usedPercent) as "Used Percent" by TimeFrame
What if there are multiple events within the 15 minute window? My search used the most recent event, but you could also choose the maximum or the average or...
Finally, your subsearch would only return a result if the current percent and the past percent were identical. This seems an odd criteria.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this (should perform better than subsearch method)
earliest=-30m latest=now index=123456 sourcetype=abcdefg filer=higklmn name="opqrstuv"
| eval period=if(_time>relative_time(now(),"-15m"),"current","past")
| chart max(usedPercent) over index by period | where current=past
Just to explain, your subsearch syntax was wrong. You should be doing like this
earliest=-30m latest=-15m index=123456 sourcetype=abcdefg filer=higklmn name="opqrstuv"
| convert num(usedPercent) as pastPercent
| where pastPercent=[ SEARCH earliest=-15m latest=now index=123456 sourcetype=abcdefg filer=higklmn name="opqrstuv"
|convert num(usedPercent) as query
| table query ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much, both worked. I was just using = during testing because I knew I should get a result off of that. In the future I will be actually validating that the space has not dropped by a certain percentage. I'll be able to add the calculation now that the query is working.
Again, thanks so much!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
