Monitoring Splunk

Pass dbinspect result to calculate index disk space

shan_santosh
Explorer

I this search below to calculate compression rate of my index

| dbinspect index=myIndexName
| stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB
| eval rawTotalinMB=(rawTotal / 1024 / 1024) | fields - rawTotal
| eval compression=round(diskTotalinMB / rawTotalinMB * 100, 2)
| table compression

Then I want to further use the compression value in below search in place of constant value .4

index=_internal source=*metrics.log group=per_index_thruput series=myIndexName | eval MB = round
(kb/1024,2) * .4 | reverse | accum MB as totalvalue | timechart last(totalvalue) span=1d

I tried subsearch and join, but no success. Can any one suggest a solution, hint?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Here's a generic example of how to pass a subsearch result into an eval:

| stats count | eval foo = exact(42 * [stats count as search | eval search = 0.1])

This should be translatable to your case, make sure to use the special field search to avoid quotes being added.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Here's a generic example of how to pass a subsearch result into an eval:

| stats count | eval foo = exact(42 * [stats count as search | eval search = 0.1])

This should be translatable to your case, make sure to use the special field search to avoid quotes being added.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Works the same way, it's the first command of the subsearch:

| stats count | eval foo = exact(42 * [dbinspect index=main
  | stats sum(rawSize) AS rawTotal, sum(sizeOnDiskMB) AS diskTotalinMB
  | eval search=diskTotalinMB / rawTotal * 1024 * 1024 | fields search])

shan_santosh
Explorer

This worked for me. Thanks for your help.

0 Karma

shan_santosh
Explorer

Thanks for your reply. however in my case I want to use dbinspect and use its output for sub search. dbinspect has to be a first statement in the search which I can not use as a subsearch. Some sample wrt my scenario will be of great help.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...