Splunk Search

How to search result in data and put it in a table

codedtech
Path Finder

I need to create a table from the results in the query below. where the utilization is greater than or equal to .7.

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated =  round((vmdkallocated/free*100),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|where utilization>=.7|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization

Please feel free to rewrite my code, I know its not efficient or pretty. I'm still learning splunk.

0 Karma
1 Solution

codedtech
Path Finder

This worked thank you

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated = round((vmdkallocated/free),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization|where utilization>=0.75|sort -utilization

View solution in original post

0 Karma

codedtech
Path Finder

This worked thank you

index=test cluster="*"| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval over_allocated = round((vmdkallocated/free),2)|eval utilization= round(((vmdkused+garbage)/capacity),2)|eval capacity = round((capacity),2)|eval free = round((free),2)|
eval garbage = round((garbage),2)|eval vmdkallocated = round((vmdkallocated),2)|eval vmdkused = round((vmdkused),2)|dedup _time cluster|table _time cluster capacity free garbage vmdkallocated vmdkused over_allocated utilization|where utilization>=0.75|sort -utilization

0 Karma

diogofgm
SplunkTrust
SplunkTrust

try removing the |whereand check the final table for the utilisation values. if all seems ok and you're able to find utilization greater than 0.7 (also try using the 0 before the . ) add the |where after the |table . If this still does not work, replace the |where with |search

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

diogofgm
SplunkTrust
SplunkTrust

If this post solved you problem please mark it as an answer. Thanks

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

codedtech
Path Finder

I for some reason can't get only the values that are above .7 to display in the table, if I run it like this I get over 1000 results. I'm trying to use this to create an alert that will be distributed via email to the rest of the guys I work with. I need to cut that down to only the results that are greater than or equal to .7

0 Karma

diogofgm
SplunkTrust
SplunkTrust

what's the problem you're trying to have solve? Isn't this working?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...