Splunk Search

Can you help me with a search involving the NOT and WHERE functions?

jip31
Motivator

Hi,

I use the 2 event types below in a search

eventtype="TotalSpace" OR eventtype="DiskHealthSize" 

I need to do an NOT host=E* for the 2 event types.

Is it enough to do eventtype="TotalSpace" OR eventtype="DiskHealthSize" NOT host=E*, or do I have to do it for the 2 event types??

I have to do also a | where Value <15) but just for the second event type.

I would like to do something like (eventtype="DiskHealthSize" | where Value <15), but it doesn't work....

Finally, I have to do a where Free_Space <15 at the end of the query below but I have no results even if there are events corresponding....

Where do I have to put this piece of code??

  eventtype="TotalSpace" OR eventtype="DiskHealthSize" NOT host=E*
    | eval time = strftime(_time, "%m/%d/%Y %H:%M") 
    | eval Value = round(Value, 1). " %" 
    | eval TotalSpace = TotalSpaceKB/1024 
    | eval TotalSpace = round(TotalSpace/1024,1). " GB" 
    | stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host |  where Free_Space <15

Thanks for helping me please

0 Karma
1 Solution

FrankVl
Ultra Champion

That's a matter of using the correct combination of AND and OR statements and some parentheses to ensure the right criteria are grouped together.

(eventtype="TotalSpace" OR ( eventtype="DiskHealthSize" AND Value <15 ) ) AND NOT host=E*

View solution in original post

0 Karma

FrankVl
Ultra Champion

That's a matter of using the correct combination of AND and OR statements and some parentheses to ensure the right criteria are grouped together.

(eventtype="TotalSpace" OR ( eventtype="DiskHealthSize" AND Value <15 ) ) AND NOT host=E*

0 Karma

jip31
Motivator

Perfect franch thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...