cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
jztilly
Engager
Member since: ‎12-12-2021
‎10-27-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-12-2021
View All

How do I create a Dashboard using mstats metrics w...

by in Splunk Search
‎10-12-2022 03:22 PM
‎10-12-2022 03:22 PM
Hi there, I've been attempting to create a dashboard with metrics from the itsi_im_metrics index but am struggling with "instances" and the LogicalDisk.%_Free_Space metric. Using the following search, I can see the "instances" dimension are being used for each logical volume:     | mcatalog values(_dims) WHERE "index"="*" GROUPBY metric_name index instance | rename values(_dims) AS dimensions | table metric_name dimensions index instance     I can get a visualisation for each of the instances with the following and changing the C: to d: or E: respectively:     | mstats prestats=true avg(LogicalDisk.Free_Megabytes) WHERE (`itsi_entity_type_windows_metrics_indexes`) span=1m AND instance=C: | timechart span=1m avg(LogicalDisk.Free_Megabytes) as "Megabytes Free"     ...but I can't get all three of them (C:, d: and E:) into the same table like this: _time C: % free 😧% free E: % free   Any tips or advice would be greatly appreciated! Cheers 🙂 ... View more
Labels

Re: search to show hosts missing specific winevent...

by in Splunk Search
‎12-15-2021 07:23 PM
‎12-15-2021 07:23 PM
Thanks for the reply! I've been trying to get that to produce a result but not having much luck. The original error after copy/paste is: Error in 'eval' command: The expression is malformed. Expected ). I've been going through line-by-line and got the second line working by changing it to this:   index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*pgrp* | eval success = if(Message like "%6C8F1F7E%|%6C8F1F7D%|%6C8F1F7A%", 1, 0)   but each subsequent line fails from there. edit : nope, my edit to line 2 doesn't work either 😁 ... View more

search to show hosts missing specific winevent log

by in Splunk Search
‎12-12-2021 03:26 PM
‎12-12-2021 03:26 PM
Hi there, I've got a basic search to provide the most recent timestamp for a successful backup using wineventlog data:   index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*grp* | search Message=*6C8F1F7E* OR Message=*6C8F1F7D* OR Message=*6C8F1F7A* | dedup host | table host, _time   However, I'm really struggling to come up with a search that shows me all the *grp* hosts whether they have the successful backup strings in the Message field  (*6C8F1F7E* or *6C8F1F7D* or *6C8F1F7A*) or not. My closest attempt seems to be this:   index="wineventlog" source="WinEventLog:Application" SourceName="Symantec System Recovery" host=*pgrp* | eval success = case(Message like "%6C8F1F7E%",1,Message like "%6C8F1F7D%",1,Message like "%6C8F1F7A%",1,Message like "%",0) | stats sum(success) as Successes by host | where Successes < 1   My hope is for a table with the following columns: Host Last successful backup date/time or "N/A" if there was no successful backup in the selected timerange Days since last backup Any help or advice would be greatly apprecated! Cheers ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-27-2022 08:32 PM