hello
I use the where condition below
I would like to display the events where Free_Space <= "20" AND TotalSpace >= "164"
But I dont understand why even if the free space is < to 20 I have TotalSpace events < to 164?
You can see an example in the screenshot
thanks for your help
(index="toto" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space") OR (index="titi" sourcetype=WinHostMon Type=disk Name="C:" TotalSpaceKB)
| eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval Value = round(Value, 1). " %"
| eval TotalSpace = TotalSpaceKB/1024
| eval TotalSpace = round(TotalSpace/1024,1). " GB"
| stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host
**| where Free_Space <= "20" AND TotalSpace >= "164"**
| sort +Free_Space limit=10
Without trying it jumps at me that you do your comparison on strings, not numbers.
You should add " %" and " GB" after you filter with your where clause, not before.
Hth,
Kai,
Without trying it jumps at me that you do your comparison on strings, not numbers.
You should add " %" and " GB" after you filter with your where clause, not before.
Hth,
Kai,
I m doing this but it doesnt works
| where Free_Space <= "20 %" AND TotalSpace >= "164 GB"
No, I meant:
(index="toto" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space") OR (index="titi" sourcetype=WinHostMon Type=disk Name="C:" TotalSpaceKB)
| eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval Value = round(Value, 1)
| eval TotalSpace = TotalSpaceKB/1024
| eval TotalSpace = round(TotalSpace/1024,1)
| stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host
| where Free_Space <= 20 AND TotalSpace >= 164
| eval Free_Space=FreeSpace." %", TotalSpace=TotalSpace." GB"
| sort +Free_Space limit=10
perfect thanks