Hi,
I use the 2 event types below in a search
eventtype="TotalSpace" OR eventtype="DiskHealthSize"
I need to do an NOT host=E*
for the 2 event types.
Is it enough to do eventtype="TotalSpace" OR eventtype="DiskHealthSize" NOT host=E*
, or do I have to do it for the 2 event types??
I have to do also a | where Value <15)
but just for the second event type.
I would like to do something like (eventtype="DiskHealthSize" | where Value <15)
, but it doesn't work....
Finally, I have to do a where Free_Space <15
at the end of the query below but I have no results even if there are events corresponding....
Where do I have to put this piece of code??
eventtype="TotalSpace" OR eventtype="DiskHealthSize" NOT host=E*
| eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval Value = round(Value, 1). " %"
| eval TotalSpace = TotalSpaceKB/1024
| eval TotalSpace = round(TotalSpace/1024,1). " GB"
| stats latest(Value) as Free_Space latest(TotalSpace) as TotalSpace by host | where Free_Space <15
Thanks for helping me please
That's a matter of using the correct combination of AND and OR statements and some parentheses to ensure the right criteria are grouped together.
(eventtype="TotalSpace" OR ( eventtype="DiskHealthSize" AND Value <15 ) ) AND NOT host=E*
That's a matter of using the correct combination of AND and OR statements and some parentheses to ensure the right criteria are grouped together.
(eventtype="TotalSpace" OR ( eventtype="DiskHealthSize" AND Value <15 ) ) AND NOT host=E*
Perfect franch thanks