Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get a single value subtraction from two...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mujahidsof
New Member
01-28-2018
11:58 PM
Hi,
I have two searches Total Memory and Available memory and I want to subtract this two queries result, so that I can get Used Memory.
Total Memory
sourcetype=cf:valuemetric name=CapacityTotalMemory
| eval valueGTB=round(case(unit=="MiB", value/1024, unit=="KiB", value/(1024*1024), unit=="GiB", value),2)
| timechart span=5s avg(valueGTB) as valueGB by ip
| filldown | untable _time ip valueGTB
| timechart span=5s sum(valueGTB)
Available Memory
sourcetype=cf:valuemetric name=CapacityRemainingMemory
| eval valueGB=round(case(unit=="MiB", value/1024, unit=="KiB", value/(1024*1024), unit=="GiB", value),2)
| timechart span=5s avg(valueGB) as valueGB by ip
| filldown | untable _time ip valueGB
| timechart span=5s sum(valueGB)
I tried everything but could not figure it out.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-29-2018
01:32 AM
try this:
sourcetype=cf:valuemetric name=CapacityTotalMemory
| eval valueGTB=round(case(unit=="MiB", value/1024, unit=="KiB", value/(1024*1024), unit=="GiB", value),2)
| timechart span=5s avg(valueGTB) as valueGB by ip
| filldown
| untable _time ip valueGTB
| timechart span=5s sum(valueGTB) as "total_memory"
| join _time
[ sourcetype=cf:valuemetric name=CapacityRemainingMemory
| eval valueGB=round(case(unit=="MiB", value/1024, unit=="KiB", value/(1024*1024), unit=="GiB", value),2)
| timechart span=5s avg(valueGB) as valueGB by ip
| filldown
| untable _time ip valueGB
| timechart span=5s sum(valueGB) as "available_memory"]
| eval used_memory=total_memory-available_memory
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
01-29-2018
02:12 AM
@mujahidsof, Since you are not using ip field in your final timechart seems like you just need two series the sum of average memory available and total for every 5 seconds. Following should still work without join/append or appendcols.
sourcetype=cf:valuemetric ( name=CapacityTotalMemory OR name=CapacityRemainingMemory)
| eval valueGB=round(case(unit=="MiB", value/1024, unit=="KiB", value/(1024*1024), unit=="GiB", value),2)
| bin _time span=5s
| stats avg(valueGB) by name, ip, _time
| timechart span=5s sum(valueGB) by name
| filldown CapacityTotalMemory CapacityRemainingMemory
| rename "CapacityTotalMemory" as "total_memory"
| rename "CapacityRemainingMemory" as "available_memory"
Please try out and confirm. Also you can create an Overlay Field if required using Chart Formatting Options.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mujahidsof
New Member
01-29-2018
07:08 AM
Sum(total_memory)-sum(available_memory) = available memory(single value).
I am unable to achieve this with above query may be I am doing wrong 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-29-2018
01:32 AM
try this:
sourcetype=cf:valuemetric name=CapacityTotalMemory
| eval valueGTB=round(case(unit=="MiB", value/1024, unit=="KiB", value/(1024*1024), unit=="GiB", value),2)
| timechart span=5s avg(valueGTB) as valueGB by ip
| filldown
| untable _time ip valueGTB
| timechart span=5s sum(valueGTB) as "total_memory"
| join _time
[ sourcetype=cf:valuemetric name=CapacityRemainingMemory
| eval valueGB=round(case(unit=="MiB", value/1024, unit=="KiB", value/(1024*1024), unit=="GiB", value),2)
| timechart span=5s avg(valueGB) as valueGB by ip
| filldown
| untable _time ip valueGB
| timechart span=5s sum(valueGB) as "available_memory"]
| eval used_memory=total_memory-available_memory
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mujahidsof
New Member
01-29-2018
01:47 AM
Thank you very much. You saved my hours. 😛 . I don't tried _time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
01-29-2018
12:47 AM
what happens if you use appencols, ?
first search followed by the second? if the columns are aligned, you can just subtract the fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mujahidsof
New Member
01-29-2018
12:53 AM
I have used append, have to try appendcols
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
