Solved: Can you help me with a search involving the NOT an...

jip31 · ‎02-15-2019

Hi,

I use the 2 event types below in a search

eventtype="TotalSpace" OR eventtype="DiskHealthSize"

I need to do an NOT host=E* for the 2 event types.

Is it enough to do eventtype="TotalSpace" OR eventtype="DiskHealthSize" NOT host=E*, or do I have to do it for the 2 event types??

I have to do also a | where Value <15) but just for the second event type.

I would like to do something like (eventtype="DiskHealthSize" | where Value <15), but it doesn't work....

Finally, I have to do a where Free_Space <15 at the end of the query below but I have no results even if there are events corresponding....

Where do I have to put this piece of code??

  eventtype="TotalSpace" OR eventtype="DiskHealthSize" NOT host=E*
    | eval time = strftime(_time, "%m/%d/%Y %H:%M") 
    | eval Value = round(Value, 1). " %" 
    | eval TotalSpace = TotalSpaceKB/1024 
    | eval TotalSpace = round(TotalSpace/1024,1). " GB" 
    | stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host |  where Free_Space <15

Thanks for helping me please

FrankVl · ‎02-15-2019

That's a matter of using the correct combination of AND and OR statements and some parentheses to ensure the right criteria are grouped together.

(eventtype="TotalSpace" OR ( eventtype="DiskHealthSize" AND Value <15 ) ) AND NOT host=E*

View solution in original post

FrankVl · ‎02-15-2019

That's a matter of using the correct combination of AND and OR statements and some parentheses to ensure the right criteria are grouped together.

(eventtype="TotalSpace" OR ( eventtype="DiskHealthSize" AND Value <15 ) ) AND NOT host=E*

jip31 · ‎02-15-2019

Perfect franch thanks

Can you help me with a search involving the NOT and WHERE functions?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms