I'm having trouble with a search and I'm banging my head against the wall. I feel like I'm on the right track but just not there yet. So, long story short: I'm charting Windows server performance metrics. I'm working on Memory. The events I'm using for this are collected via Perfmon. In this case, I want to chart roughly how much memory a server is using. To do this I can get the "Available Mbytes" perfmon counter and subtract from the server's installed physical RAM. Perfmon can't tell me how much physical RAM the server has, so I used Powershell to create a lookup table that has all of our servers and their configured RAM in them, because this isn't going to change very often. That way I can take configured RAM minus Available Mbytes = Used RAM. My first search just charts the "Available MBytes" counter, nothing fancy: host=ServerName001 sourcetype="Perfmon:Memory" counter="Available MBytes" | eval GBs=(Value/1024) | timechart bins=500 avg(GBs) by counter My lookup table (a CSV) has two columns: Server and RAM. Server has the server name in it, RAM is just the number in GB of RAM. So let's assume ServerName001 has 8GB of RAM. I can get the 8 back from the lookup table a few ways. | inputlookup InstalledRAMLookup.csv | search Server=ServerName001 | fields RAM I can also run an eval against the RAM after I grab it out of the lookup table and get the correct result for DivTest, like so: | inputlookup InstalledRAMLookup.csv where (Server="ServerName001") | eval DivTest=(1/RAM) What I can't seem to do is combine these searches together in a way that I can get the value of RAM and use it in an eval statement to get a simple piece of data per event: RAM - Available MBytes = Usage . I think the answer may be in using eval TotalGBs=[ lookup statement here] but Splunk says you can't put a boolean in an eval function. Any help on this would be greatly appreciated. Thank you. ... View more