We run Query and add 3 lines also add number 7 IP address in fields but not geeting IP data
index=perfmon sourcetype="Perfmon:LogicalDisk" source="Perfmon:LogicalDisk" counter="% Free Space" |dedup host |eval unique_id=md5(_raw) |search [inputlookup win_disk.csv|fields host]
|eventstats avg(Value) as disk_free_space by host
|eval used_percent= (100-disk_free_space)
|append [inputlookup win_disk.csv]
|eval threshold=case(used_percent<95, "Stable", used_percent>=95 AND used_percent<98,"Warning", used_percent>=98, "Critical")
|stats first(used_percent) as used_percent, last(used_percent) as last_used_percent, first(threshold) as threshold, last(threshold) as last_threshold, last(unique_id) as unique_id, first(_time) as _time by host
|eval state=case(used_percent<95, "stable", used_percent<95 AND threshold=last_threshold, "still_stable" , used_percent>=95 AND used_percent<98 AND threshold=last_threshold, "existing", used_percent>=98 AND threshold=last_threshold, "existing", used_percent>=98 AND threshold!=last_threshold, "shift_critical", used_percent<98 AND used_percent>=95 AND threshold!=last_threshold, "shift_warning")
|search state!="still_stable"
|eval action=case(state="new", "post", state="existing", "nothing", state="stable", "clear", state="shift_warning", "recede", state="shift_critical", "escalate")
|table host, used_percent, last_used_percent, threshold, last_threshold, unique_id, _time, state, action
| append [search index=perfmon sourcetype="Perfmon:LogicalDisk" source="Perfmon:LogicalDisk" counter="% Free Space" |dedup host | search NOT
[
|inputlookup win_disk.csv|fields host
]
|eval unique_id=md5(_raw)
|eventstats avg(Value) as disk_free_space by host
|eval used_percent= (100-disk_free_space)
| where used_percent>=95
| eval threshold=case(used_percent<95,"Stable",used_percent>=95 AND used_percent<98,"Warning", used_percent>=98,"Critical")
|fillnull state value="new"|eval action=case(state="new", "post")
| eval title="win_disk_Used_Exceeds_Perc_by_Host"
|table host, used_percent, last_used_percent, threshold, last_threshold, unique_id, _time, state, action]
|outputlookup win_disk.csv
|eval alert_type="Windows Disk Alert" | eval 1=alert_type, 2=host, 3=used_percent, 4=threshold, 5=action, 6=unique_id, 7=ip
|fields 1 2 3 4 5 6 7
|createsnmptrap
100 Per Page Format Preview
1 2 3 4 5 6 7 _time
Windows Disk Alert uslv-dapp-bsm02 95.705941 Warning nothing 832eb3f3cfdeec78fcd72e0131e740fb 2017-04-04 04:01:20
Please suggest
Thanks,
Sahil
... View more