topic Re: "eval UsedMemory=(Avg_Memory/Total_Memory)" How do I know where the Avg_Memory and Total_Memory fields are coming from? in Splunk Search

"eval UsedMemory=(Avg_Memory/Total_Memory)" How do I know where the Avg_Memory and Total_Memory fields are coming from?

PreetiKa — Mon, 18 Apr 2016 15:50:35 GMT

I have a search which uses an eval expression for a calculation.

eval UsedMemory= (Avg_Memory/Total_Memory)

I want to know where this Avg_Memory and Total_Memory fields are coming from or how are they are calculated.

Re: "eval UsedMemory=(Avg_Memory/Total_Memory)" How do I know where the Avg_Memory and Total_Memory fields are coming from?

diogofgm — Mon, 18 Apr 2016 17:53:45 GMT

Check the events that have those fields. Those might be fields extracted directly from whats already available in your raw data. Can you give more information about what you looking at (e.g. sourcetype, etc)

Re: "eval UsedMemory=(Avg_Memory/Total_Memory)" How do I know where the Avg_Memory and Total_Memory fields are coming from?

PreetiKa — Mon, 18 Apr 2016 18:08:47 GMT

index=abc search_name="abc_MEMORY_SUMMARY" | 
lookup abc-environments host AS orig_host OUTPUT environment | 
search orig_host=SomeSpecificServer| timechart span=1min avg(eval((Avg_MemoryKb/Total_MemoryKb)*100)) as Memory by orig_host limit=0 | 
WHERE Memory > 90

This is my search; here I want to chart out the servers who have a memory consumption of over 90%, but the result is not satisfactory. I get almost every server with 50% memory consumption which is ideally not possible.

Also, I was wondering if I could create a lookup (without modifying my props.conf & transform.conf) and first list out the memory of all the hosts listed under my index? But I'm not sure if this is something achievable. Pardon me if this is something very simple. I am on my learning curve for SPLUNK. 🙂 Thank you for your time.

Re: "eval UsedMemory=(Avg_Memory/Total_Memory)" How do I know where the Avg_Memory and Total_Memory fields are coming from?

diogofgm — Mon, 18 Apr 2016 22:55:24 GMT

About the original question, i still can't tell where those 2 fields are coming from 😕 are you using any TA (linux, windows)?
About the lookup, yes its possible to create. From the search you are already using a lookup the uses the host and outputs the "environment". To make it automatic, instead of using the command in your search, you can go to settings->lookups. You get 3 options after selection lookups.

upload your csv
create the lookup table
create the automatic lookup

From the docs: lookups

Re: "eval UsedMemory=(Avg_Memory/Total_Memory)" How do I know where the Avg_Memory and Total_Memory fields are coming from?

PreetiKa — Thu, 21 Apr 2016 07:35:51 GMT

Thank you for your time. I got to figure this out after digging a little more with the help of a colleague. I appreciate your help 🙂