×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
CR
Loves-to-Learn Lots
Member since: ‎09-30-2021
‎10-08-2021
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-30-2021
View All

Re: how can i do this without using the append sub...

by in Dashboards & Visualizations
‎10-06-2021 02:25 PM
‎10-06-2021 02:25 PM
thanks Giuseppe, some good ideas in your solution - the challenge is that calculating the Windows Memory Used % means I need the freebytes from one sourcetype and the size of memory from another.  The sourcetype with size doesnt have frequent events so i cant do the calculation without a join. I also just tried using "|multiseach" but it doesnt allow joins. I thought of creating 3 base searches ( one for each windows (with the join) , LInux , Unix) but then I can work out how to reference all 3 base searches in one query. All roads seem to lead to a dead end.    ... View more

Re: how can i do this without using the append sub...

by in Dashboards & Visualizations
‎09-30-2021 11:22 PM
‎09-30-2021 11:22 PM
thanks - the appends are limited to 50,000 events it would seem - so if i have 6 host with an event each minute i hit that limit in about 8 days which doesn't do what i need  I thought some kind of conditional execution would be the option not sure on the syntax to do it. If anyone can point me to a good example it would be appreciated. I guess what i need is something that does this search index IN (one, two, three)  sourcetype IN (a,b,c) host IN (host1, host2,host3)  if sourcetype = a then do ( list of commands) else if sourcetype=b then do (list of commands) else if sourcetype=c then do (list of commands) | timechart  ......   ... View more

how can i do this without using the append subsear...

by in Dashboards & Visualizations
‎09-30-2021 06:29 PM
‎09-30-2021 06:29 PM
I want to get metrics from multiple index/sourcetype combinations - have been using the append clause and subquery to do it but need to process a lot of events and hit the limitations of subqueries and although i get all the data from the primary query the appends get truncated.   Im sure there is an easy way of doing this and its what splunk is meant to do but cant work out how to cater for the different manipulation that needs to be done depending on the index and sourcetype. The follow is a relatively simple one but i have more complex queries which need to calculate rates from absolute values etc.   So basically have 3 queries ( one that needs a join so i can do some calculations) keep _time host and the metric I want and then do the visualisation.   index=windows sourcetype=PerfmonMk:Memory host IN(host1,host2,host3) | join type=outer host [ search index=windows sourcetype=WMI:ComputerSystem host IN(host1,host2,host3) earliest=-45d latest=now() | stats last(TotalPhysicalMemory) as TPM by host | eval TPM=TPM/1024/1024] | eval winmem=((TPM-Available_MBytes)/TPM)*100 | fields _time host mem |append [search index=linux sourcetype=vmstat host IN(host4,host5,host6) | where isnotnull(memUsedPct) | eval linmem=memUsedPct | fields _time host mem] |append [ search index=unix sourcetype="nmon-MEMNEW" host IN(host7,host8,host9) | where isnotnull("Free%") | eval aixmem=100-'Free%' | fields _time host mem] | eval host=upper(host) | timechart limit=0 span=1h perc95(mem) as Memory_Utilisation by host ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-08-2021 12:53 AM