topic Re: how to get the particluar hour cpu,memory,and disk usage using splunk? in Monitoring Splunk

how to get the particluar hour cpu,memory,and disk usage using splunk?

prathapkcsc — Thu, 18 May 2017 06:16:34 GMT

HI, i have event like this
SNo TIme event
1 5/15/17 12:00:00.000 AM servername, nodename ,2017-05-15,00:00,18, 19, 13

2 5/15/17 14:00:00.000 PM servername, nodename ,2017-05-15,00:00,17, 18, 11

Here in 1st one, 18= cpu usage, 19=memory usage,13=disk usage
like this i have 24 hours data.In single event the server name,node name, cpu, memory,disk usage are there with comma separator.
Now my requirement is i want to generate histogram to cpu for only 8:00 AM, 12:00 PM, and 18:00 PM.Like this same for memory usage and disk usage.
Can anyone help me regarding this?
Thank you.
Proper response should be appreciated.

NOte:
In event logs,Under event section the fileds like this server name, node name, cpu usage, memory usage, disk usage

Re: how to get the particluar hour cpu,memory,and disk usage using splunk?

DalJeanis — Thu, 18 May 2017 19:14:11 GMT

start with this...

your base search
| rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK

...then any one of these...

| timechart max(CPU) as CPU by SERV 
| timechart max(MEM) as MEM by SERV 
| timechart max(DISK) as DISK by SERV

The | bin _time as will create a new field with the 4-hour increment to compare against.

Re: how to get the particluar hour cpu,memory,and disk usage using splunk?

prathapkcsc — Fri, 19 May 2017 04:50:16 GMT

how to give the 8:00 AM as my time in the where _time clause

Re: how to get the particluar hour cpu,memory,and disk usage using splunk?

prathapkcsc — Fri, 19 May 2017 04:59:06 GMT

The above command not giving any results.

Re: how to get the particluar hour cpu,memory,and disk usage using splunk?

prathapkcsc — Fri, 19 May 2017 08:43:25 GMT

I am getting only server names. data not coming into remaining fields .

Re: how to get the particluar hour cpu,memory,and disk usage using splunk?

DalJeanis — Mon, 22 May 2017 14:39:23 GMT

Try this for the rex....

 | rex ".*?(AM|PM)\s+(?<SERV>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<mydate>[^,]+),\s*?(?<mytime>[^,]+),\s*?(?<CPU>\d+),\s*?(?<MEM>\d+),\s*?(?<DISK>\d+)"

Re: how to get the particluar hour cpu,memory,and disk usage using splunk?

prathapkcsc — Tue, 29 Sep 2020 14:10:17 GMT

Where _time=desired_times..
In this how can i provide my timings as 8AM,12PM,18PM..
Can you help on this?

Re: how to get the particluar hour cpu,memory,and disk usage using splunk?

prathapkcsc — Mon, 22 May 2017 17:04:38 GMT

my event has only this " servername, nodename ,2017-05-15,00:00,18, 19, 13".
There is no time AM/PM on my event...

Re: how to get the particluar hour cpu,memory,and disk usage using splunk?

prathapkcsc — Tue, 23 May 2017 07:49:44 GMT

It is working now.But the problem is i am not getting two servers, remaining all servers data am getting. In place of that am getting a new column "OTHERS", which is not exists in my data. Can you tell about this
?