Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you help me work out a query involving dis...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
luckyman80
Path Finder
11-07-2018
08:26 AM
Hi Splunk Community,
I have a simple query which pulls request counts in per node.
sourcetype=test-log New Line
| rex "\'instance1_n_Node1\': (?.*?),"
| rex "\'instance2_n_Node2\': (?.*?),"
| rex "\'instance2_n_Node2\': (?.*?),"
| timechart max(Node1), max(Node2), max(Node3)
This brings me back the values of
Node1 - 100
Node2 - 200
Node3 - 300
My Nodes have a capacity of 320 only. I am trying to show the % left on the available instances so i can see where my space is. What's the best way to do this ?
Thanks in advance !
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
11-08-2018
11:35 AM
if instead of the timechart you use a stats you can then use those values to calculate your percent available and then you can timechart those.
| stats max(Node1) as Node1 max(Node2) as Node2 max(Node3) as Node3 by _time
| eval percent_avail1 = (320-Node1)/320*100
| eval percent_avail2 = (320-Node2)/320*100
| eval percent_avail3 = (320-Node3)/320*100
| timechart max(percent_avail1) max(percent_avail2) max(percent_avail3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
11-08-2018
11:35 AM
if instead of the timechart you use a stats you can then use those values to calculate your percent available and then you can timechart those.
| stats max(Node1) as Node1 max(Node2) as Node2 max(Node3) as Node3 by _time
| eval percent_avail1 = (320-Node1)/320*100
| eval percent_avail2 = (320-Node2)/320*100
| eval percent_avail3 = (320-Node3)/320*100
| timechart max(percent_avail1) max(percent_avail2) max(percent_avail3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
luckyman80
Path Finder
11-09-2018
07:13 AM
kMaron, Thanks for your prompt response.. Worked a treat
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
