- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I use the value of one field as name of an...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk 5.0.2
Example: windows "Perfmon:Free Disk Space"
Each check is actually two events, one with the free space in MD, one in percent like this:
search: source="Perfmon:Free Disk Space"
first two results:
05/17/2013 08:59:29.087<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="% Free Space"<br>
instance=_Total<br>
Value=23.842293475974397<br>
05/17/2013 08:59:29.087<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="Free Megabytes"<br>
instance=_Total<br>
Value=31736<br>
I make these into transactions to bring this information together:
Search: source="Perfmon:Free Disk Space" | transaction host instance _time
first result:
05/17/2013 09:00:59.656<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="Free Megabytes"<br>
instance=_Total<br>
Value=121005<br>
05/17/2013 09:00:59.656<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="% Free Space"<br>
instance=_Total<br>
Value=20.732246391710184<br>
If I could rename the "Value" field to the value of the "counter" field before my transaction command I would have something along the lines of::
05/17/2013 09:00:59.656<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="Free Megabytes"<br>
instance=_Total<br>
Free Megabytes=121005<br>
05/17/2013 09:00:59.656<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="% Free Space"<br>
instance=_Total<br>
% Free Space=20.732246391710184<br>
I could then make tables charts graphs alerts etc based on those values and have both the space in megabytes and the percent available. For example, on a drive with multiple terabytes of disk space, 10% free isn't that big a deal but only having a few thousand meg free would be an issue, on a drive with only a few dozen gigabytes 10% free may be critical where a few thousand megabytes is "normal"
I know I could use a case argument but that only adresses this one instance, I'm looking for a tool I can use again in the future.
the closest i've come is this:
Search: source="Perfmon:Free Disk Space" | chart first(Value) over host by counter
give me <Hostname> <% Free Space> <Free Megabytes>
which is "ok" but doesn't account for multiple instances (in this example, i have an instance for each drive then one for _Total)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From a strictly search format:
source="Perfmon:Free Disk Space" | eval ReportKey = instance.":".counter | chart latest(Value) over host by ReportKey
Otherwise, you can setup some props/transforms but it gets hairy with different fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, this is possible, and very useful for Perfmon with its counter= value= format. Try this:
| eval {counter}=value
This naturally only works when you have a small number of values of counter where you can explicitly state them in a stats, or perhaps use fields beforehand to narrow down the number of available fields for a stats *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very cool - I like this solution as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another way is to use if;
source="Perfmon:Free Disk Space"
| eval Free_MB = if(counter == "Free Megabytes", Value, null())
| eval Free_perc = if(counter == "% Free Space", Value, null())
| your reporting commands as needed
This should give you new fields with the 'right' names.
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From a strictly search format:
source="Perfmon:Free Disk Space" | eval ReportKey = instance.":".counter | chart latest(Value) over host by ReportKey
Otherwise, you can setup some props/transforms but it gets hairy with different fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I have answered your question (or close enough to what you were looking for), please accept it. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, in this instance I actually like the following better:
source="Perfmon:Free Disk Space" | eval HostInstance = host.":".instance | chart latest(Value) over HostInstance by counter
giving me one set of MB/% per line.
in this particular example, this is an acceptible solution, but it may not work every time I'm looking for a similar solution.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
