topic Re: Simple chart from field values, rather than field count in Splunk Search

Simple chart from field values, rather than field count

beaunewcomb — Wed, 30 Mar 2011 06:43:52 GMT

sourcetype=syslog "CPU Temp" | sort –CPU_Temp | table host CPU_Temp

CPU_Temp is a field with a numerical value (Temp of the CPU in celsius)

I'd like to create a chart with the resulting data: x-axis = host y-axis = CPU_Temp

So far everything I've tried with the GUI and the chart command isn't working. Does anyone have any ideas?

Bonus if you can make it show the top 100 CPU Temps!

Re: Simple chart from field values, rather than field count

LCM — Wed, 30 Mar 2011 20:16:42 GMT

sourcetype=syslog "CPU Temp" | stats avg(CPU_Temp) by host | sort -avg(CPU_temp) | head 100

or, if you want to have more like a timechart (although by 100 hosts, it might be not that nice)

sourcetype=syslog "CPU Temp" | timechart span=10m avg(CPU_Temp) by host

Re: Simple chart from field values, rather than field count

beaunewcomb — Thu, 31 Mar 2011 01:38:44 GMT

Looks like it would work, but I get an empty chart! Also, avg CPU isn't going to be concise enough. Do you know if there's a way to get the LATEST field for each host entry?

Re: Simple chart from field values, rather than field count

LCM — Thu, 31 Mar 2011 02:14:20 GMT

To get one entry per host you can do:

sourcetype=syslog "CPU Temp" | dedup host | table host CPU_Temp

The avg command is not doing something special - only math like: 100dg, 100dg, 1deg = avg67deg. It may look no concise enough, but is fully ok!

You get that empty chart on the first or second command? Have you tried to play around with the time (last 15mins, all time, etc) ?