Solved: Re: Can you help me work out a query involving dis...

luckyman80 · ‎11-07-2018

Hi Splunk Community,

I have a simple query which pulls request counts in per node.

sourcetype=test-log New Line 
| rex "\'instance1_n_Node1\': (?.*?)," 
| rex "\'instance2_n_Node2\': (?.*?)," 
| rex "\'instance2_n_Node2\': (?.*?)," 

| timechart max(Node1), max(Node2), max(Node3)

This brings me back the values of

Node1 - 100
Node2 - 200
Node3 - 300

My Nodes have a capacity of 320 only. I am trying to show the % left on the available instances so i can see where my space is. What's the best way to do this ?

Thanks in advance !

kmaron · ‎11-08-2018

if instead of the timechart you use a stats you can then use those values to calculate your percent available and then you can timechart those.

    | stats max(Node1) as Node1 max(Node2) as Node2 max(Node3) as Node3 by _time
    | eval percent_avail1 = (320-Node1)/320*100
    | eval percent_avail2 = (320-Node2)/320*100
    | eval percent_avail3 = (320-Node3)/320*100
    | timechart max(percent_avail1) max(percent_avail2) max(percent_avail3)

View solution in original post

kmaron · ‎11-08-2018

if instead of the timechart you use a stats you can then use those values to calculate your percent available and then you can timechart those.

    | stats max(Node1) as Node1 max(Node2) as Node2 max(Node3) as Node3 by _time
    | eval percent_avail1 = (320-Node1)/320*100
    | eval percent_avail2 = (320-Node2)/320*100
    | eval percent_avail3 = (320-Node3)/320*100
    | timechart max(percent_avail1) max(percent_avail2) max(percent_avail3)

luckyman80 · ‎11-09-2018

kMaron, Thanks for your prompt response.. Worked a treat

Can you help me work out a query involving distribution percentages?

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector