Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

create a listing of min(foo) and _time

dang
Path Finder
‎12-07-2012 07:06 AM

I'm thinking what I'm trying to do is actually simple, I'm just not understanding the fundamental concept I need to use. I am looking at memory data for a collection of servers and starting my search like this:

index=main ComputerName=* sourcetype=WMI* AvailableMBytes

What I'm trying to do is create a list of information (and intentionally not using the words "chart" or "table", but I think that's where this is leading) where I present the values for "_time" and "min(AvailableBytes)" to show only the times each server have the lowest amount of available bytes of memory, with one row per server name.

Any suggestions?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎12-07-2012 07:38 AM

This can be achieved in several ways, one of them being

your search | sort AvailableMBytes | dedup host | table _time host AvailableMBytes

A subsearch could be another way of doing it

index=main sourcetype=WMI* [search index=main sourcetype=WMI* AvailableMBytes | stats min(AvailableMBytes) AS AvailableMBytes by host | fields + AvailableMBytes, host ] | table _time, host, AvailableMBytes

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎12-07-2012 07:38 AM

This can be achieved in several ways, one of them being

your search | sort AvailableMBytes | dedup host | table _time host AvailableMBytes

A subsearch could be another way of doing it

index=main sourcetype=WMI* [search index=main sourcetype=WMI* AvailableMBytes | stats min(AvailableMBytes) AS AvailableMBytes by host | fields + AvailableMBytes, host ] | table _time, host, AvailableMBytes

Hope this helps,

Kristian

Reply
Solved! Jump to solution

dang
Path Finder
‎12-07-2012 07:43 AM

This works well. Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎12-07-2012 07:30 AM

To display just the times where the value is the min, you have to find that min first. I'd use eventstats; this writes a new field with the stat you described to each row, carried along with all of the other fields. You can then apply a filtering search to get only the records you want, and then select your fields:

index=main ComputerName=* sourcetype=WMI* AvailableMBytes
| eventstats min(AvailableMBytes) AS lowest by ComputerName
| where AvailableMBytes=lowest
| table _time, AvailableMBytes
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...