https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280051#M190499 <P>It's not very exciting (one row per pseudo-event):</P> <P>_time,host,itemKey="system.cpu.util[user_utilization,#socket,#core,]",value=int<BR /> ....<BR /> _time,hostN,itemKey="system.cpu.util[user_utilization,#socket,#core,]",value=int</P> Tue, 29 Sep 2020 09:25:45 GMT NickJLange 2020-09-29T09:25:45Z https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280047#M190495 <P><STRONG>Disclaimer</STRONG>: I'm not saying this particular example is useful analysis - I'm just not sure how to think about solving a problem like this in Splunk properly.</P> <P>I have thousands of events of Zabbix Data where socket-wide data points are normalized into individual events. i.e. system.cpu.util[socket,core,type] across heterogeneous hardware configurations (i.e. # of sockets or # of cores are different).<BR /> I want to understand the distribution of the load across a socket by machine modeltype to ensure it matches up to temperature readings - and then flag outliers (either on temperature or idle cores).</P> <P>I've seen tricks around extracting the itemKey into named Variables which I think works because the timestamp is exactly the same.... but how do you run stats on variables that might not exist? (i.e. socket 4 or core 20?)</P> <P>Does any of this make sense?</P> Sun, 10 Apr 2016 16:09:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280047#M190495 NickJLange 2016-04-10T16:09:57Z https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280048#M190496 <P>Is list of possible socket/core fixed?</P> Mon, 11 Apr 2016 15:20:23 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280048#M190496 somesoni2 2016-04-11T15:20:23Z https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280049#M190497 <P>Do provide some sample data.</P> Mon, 11 Apr 2016 21:39:14 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280049#M190497 martin_mueller 2016-04-11T21:39:14Z https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280050#M190498 <P>It is hard to predict the socket/core count... but it is a finite set.</P> Sat, 16 Apr 2016 17:54:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280050#M190498 NickJLange 2016-04-16T17:54:03Z https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280051#M190499 <P>It's not very exciting (one row per pseudo-event):</P> <P>_time,host,itemKey="system.cpu.util[user_utilization,#socket,#core,]",value=int<BR /> ....<BR /> _time,hostN,itemKey="system.cpu.util[user_utilization,#socket,#core,]",value=int</P> Tue, 29 Sep 2020 09:25:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280051#M190499 NickJLange 2020-09-29T09:25:45Z https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280052#M190500 <P>Currently, the query uses rex to extract the #socket/#core are extracted to new variables via Rex...</P> Mon, 18 Apr 2016 12:27:16 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280052#M190500 NickJLange 2016-04-18T12:27:16Z https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280053#M190501 <P>What will the field value contains? </P> Mon, 18 Apr 2016 13:51:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280053#M190501 somesoni2 2016-04-18T13:51:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280054#M190502 <P>an integer value from 1- 100. representing utilization ... the equiv of /proc/stat</P> Fri, 06 May 2016 15:09:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280054#M190502 NickJLange 2016-05-06T15:09:59Z https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280055#M190503 <PRE><CODE> ... host=hostname |eval socket=if(isnull(socket),"null",socket) | timechart avg(value) max(value) by socket </CODE></PRE> <P>AND</P> <PRE><CODE> ... host=hostname | eval core=if(isnull(core),"null",core)| timechart avg(value) max(value) by core </CODE></PRE> <P>should be fine for a host by host basis. Both would work well on a dashboard with a drop down list to select the hostname etc.</P> <PRE><CODE> ... |eval socket=if(isnull(socket),"null",socket) | eval core=if(isnull(core),"null",core)| stats avg(value) max(value) by host core socket </CODE></PRE> <P>The above should be fine for an analyst to select specific time ranges with time picker and see if activity spikes occured, etc.</P> Sat, 07 May 2016 00:56:26 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280055#M190503 jkat54 2016-05-07T00:56:26Z https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280056#M190504 <P>Thank you for the helpful suggestion. I'm looking for more aggregate trends across a class of hosts with different underlying hardware models - which sort of precludes individual host analysis with eyeballs...</P> Sun, 08 May 2016 15:18:32 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-subtotal-processor-utilization/m-p/280056#M190504 NickJLange 2016-05-08T15:18:32Z