topic Re: How to edit my alert search to convert Available Memory value from bytes to a percentage? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340622#M101027 <P>@sonila<BR /> Voting up @niketnilay comment, this is the right way to go and IMHO should also be the answer to your question and not only a comment</P> Fri, 21 Apr 2017 12:43:32 GMT adonio 2017-04-21T12:43:32Z How to edit my alert search to convert Available Memory value from bytes to a percentage? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340615#M101020 <P>I need to create an alert which is if in a 10 period of time to see if memory percentage of the host is over 90%. Here is what I have when I search for sourcetype="Perfmon:Available Memory" which is the only sourcetype I have:<BR /> 04/21/2017 00:20:59.143 +0200<BR /> collection="Available Memory"<BR /> object=Memory<BR /> counter="Available Bytes"<BR /> instance=0<BR /> Value=992362496</P> <P>The search that i do is as below:</P> <PRE><CODE>earliest=-10m@m latest=@m index="my-live-srv" sourcetype="Perfmon:Available Memory"|stats avg(Value) as AvgValue_Last10m count by host | eval AvgValue_Last10mGB = round(((AvgValue_Last10m/1024)/1024)/1024 ,2)| where AvgValue_Last10mGB &gt;= 90| fields - count </CODE></PRE> <P>so here the value is in byte? How can I make it as percentage?</P> Thu, 20 Apr 2017 22:37:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340615#M101020 sonila 2017-04-20T22:37:23Z Re: How to edit my alert search to convert Available Memory value from bytes to a percentage? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340616#M101021 <P>hi sonila, <BR /> i guess percentage is determined against the total memory the host has. one may think each host will have different amount of memory but lets assume all machines has memory value of 10<BR /> here is a search that will do it based on your search.</P> <PRE><CODE>earliest=-10m@m latest=@m index="my-live-srv" sourcetype="Perfmon:Available Memory" |stats avg(Value) as AvgValue_Last10m host | eval AvgValue_Last10mGB = round(((AvgValue_Last10m/1024)/1024)/1024 ,2) | eval myMem = 10 | eval memPCT = AvgValue_Last10mGB/10*100 | table host memPCT | where memPCT &gt; 90 </CODE></PRE> <P>hope it helps</P> Fri, 21 Apr 2017 04:26:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340616#M101021 adonio 2017-04-21T04:26:04Z Re: How to edit my alert search to convert Available Memory value from bytes to a percentage? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340617#M101022 <P>@sonila... You would need to know the <STRONG>Total Physical Memory</STRONG> on the machine you are trying to monitor in order to calculate the %Available Megabyte. You can instead use <STRONG>% Committed Bytes in Use</STRONG> performance counter, which indicates Virtual Memory in Use and should not be &gt;80% or something as per your use case.</P> Fri, 21 Apr 2017 06:23:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340617#M101022 niketn 2017-04-21T06:23:57Z Re: How to edit my alert search to convert Available Memory value from bytes to a percentage? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340618#M101023 <P>I dont have % Committed Bytes in Use as a counter</P> Fri, 21 Apr 2017 07:27:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340618#M101023 sonila 2017-04-21T07:27:07Z Re: How to edit my alert search to convert Available Memory value from bytes to a percentage? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340619#M101024 <P>Thank you. It is very helpful but I dont know the amount of all machines. Do I really need to make an assumption?</P> Fri, 21 Apr 2017 07:29:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340619#M101024 sonila 2017-04-21T07:29:46Z Re: How to edit my alert search to convert Available Memory value from bytes to a percentage? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340620#M101025 <P>If you do not have <STRONG>% Committed Bytes in Use</STRONG> memory performance counter, you or Splunk Admin would need to enable it on the server/s being monitored.</P> <P>Clearly you are using Perfmon for measuring your Windows Server performance. The current inputs.conf which is sending <STRONG>Perfmon:Available Memory</STRONG> counter needs to be configured to forward<BR /><BR /> <STRONG>% Committed Bytes in Use</STRONG> as well.</P> <P>Refer to following documentations on Performance Counters(You can also check out Performance Counters on Microsoft site for complete details):</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Performance_Monitor">http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Performance_Monitor</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsperformance#Collect_performance_metrics_in_English_regardless_of_system_locale">http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsperformance#Collect_performance_metrics_in_English_regardless_of_system_locale</A></P> Fri, 21 Apr 2017 08:08:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340620#M101025 niketn 2017-04-21T08:08:30Z Re: How to edit my alert search to convert Available Memory value from bytes to a percentage? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340621#M101026 <P>If you have limited number of Windows servers(hosts) being monitored and you/your admin can not enable the % Committed Bytes in Use similar to Available Memory performance counter then you would need to maintain a lookup table or KV Store with Total Memory per server and use the approach that adonio has provided.</P> Fri, 21 Apr 2017 08:50:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340621#M101026 niketn 2017-04-21T08:50:30Z Re: How to edit my alert search to convert Available Memory value from bytes to a percentage? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340622#M101027 <P>@sonila<BR /> Voting up @niketnilay comment, this is the right way to go and IMHO should also be the answer to your question and not only a comment</P> Fri, 21 Apr 2017 12:43:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340622#M101027 adonio 2017-04-21T12:43:32Z Re: How to edit my alert search to convert Available Memory value from bytes to a percentage? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340623#M101028 <P>@sonia , i have converted my comment to answer. Please accept if this helped.</P> Mon, 24 Apr 2017 18:28:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-alert-search-to-convert-Available-Memory-value/m-p/340623#M101028 niketn 2017-04-24T18:28:34Z