I love InfluxDB metrics DB, but i don’t like its alerts. I love Splunk query, so how can i query InfluxDB data to alert? i finally got this
| makeresults
| eval influx_token="your-influx-token"
| eval query="SELECT last(*) FROM \"disk\" WHERE time>now()-15m group by host,*"
| eval header="{\"Authorization\":\"Token "+influx_token+"\"}"
| urlencode query
| eval influx_url="https://your-influx-server/query?db=telegraf&q="+query
| curl method=get urifield=influx_url headerfield=header
| spath input=curl_message output=myfield path=results{}
| fields myfield
| spath input=myfield output=series path=series{}
| fields - myfield
| mvexpand series
| spath input=series
| fields - series
| rename columns{} as columns,values{}{} as values , tags.* as *
| search NOT path IN("*boot*","*etc*")
| eval column_name=mvindex(columns,0) , {column_name}=mvindex(values,0)
| eval column_name=mvindex(columns,1) , {column_name}=mvindex(values,1)
| eval column_name=mvindex(columns,2) , {column_name}=mvindex(values,2)
| eval column_name=mvindex(columns,3) , {column_name}=mvindex(values,3)
| eval column_name=mvindex(columns,4) , {column_name}=mvindex(values,4)
| eval column_name=mvindex(columns,5) , {column_name}=mvindex(values,5)
| eval column_name=mvindex(columns,6) , {column_name}=mvindex(values,6)
| eval column_name=mvindex(columns,7) , {column_name}=mvindex(values,7)
| eval column_name=mvindex(columns,8) , {column_name}=mvindex(values,8)
| eval column_name=mvindex(columns,9) , {column_name}=mvindex(values,9)
| eval column_name=mvindex(columns,10) , {column_name}=mvindex(values,10)
| fields - columns,values , column_name , *node*,mode,time
| eval last_free_GB=round(last_free/1024/1024/1024) ,last_total_GB=round(last_total/1024/1024/1024)
| rename last_* as *
| sort by host
| table host,path,total_GB,free_GB,used_per*,*
| where free_GB<40