https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447243#M191215 <P>Hi sukisen, <BR /> Timechart command is not taking a second argument, so it errors out. Any other ideas pls</P> Thu, 15 Aug 2019 02:26:11 GMT johnsasikumar 2019-08-15T02:26:11Z https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447240#M191212 <P>Hello,<BR /> Am trying to extract UNIX CPU data core wise for multiple hosts, Am using the below query for extract, </P> <P>source=cpu host="XYZ"<BR /> | multikv fields CPU pctIdle<BR /> | eval Percent_CPU_Load = 100 - pctIdle <BR /> | timechart span=5m eval(round(avg(Percent_CPU_Load),0)) by CPU<BR /> | table _time all *<BR /> | eval _time=strftime(_time,"%m/%d/%Y %H:%M:%S")<BR /> | table _time all *</P> <P>however this looses the host field after the timechart command and am not able to view name of the host in the table.</P> <P>"_time",all,0,1,2,3,4,5,6,7<BR /> "08/14/2019 14:35:00",3,3,4,4,5,3,2,3,2<BR /> "08/14/2019 14:40:00",5,5,7,6,5,5,4,5,4<BR /> "08/14/2019 14:45:00",4,4,4,5,5,4,4,3,4<BR /> "08/14/2019 14:50:00",2,2,1,2,2,2,5,4,1</P> <P>I also tried with the bucket and stats command which gives the host field (query as below) but, it changes the format.</P> <P>index=main host="XYZ" source=cpu<BR /> | multikv fields pctIdle host CPU<BR /> | eval Percent_CPU_Load = 100 - pctIdle<BR /> | table _time host CPU Percent_CPU_Load<BR /> | bucket _time span=5m<BR /> | stats avg(Percent_CPU_Load) by _time,CPU,host</P> <P>"_time",CPU,host,"avg(Percent_CPU_Load)"<BR /> "2019-08-13T14:00:00.000-0400",0,"XYZ","1.9040000000000006"<BR /> "2019-08-13T14:00:00.000-0400",1,"XYZ","2.8860000000000015"<BR /> "2019-08-13T14:00:00.000-0400",2,"XYZ","2.1960000000000006"<BR /> "2019-08-13T14:00:00.000-0400",3,"XYZ","2.7099999999999995"<BR /> "2019-08-13T14:00:00.000-0400",4,"XYZ","2.5839999999999987"<BR /> "2019-08-13T14:00:00.000-0400",5,"XYZ","2.595"<BR /> "2019-08-13T14:00:00.000-0400",6,"XYZ","2.1990000000000007"<BR /> "2019-08-13T14:00:00.000-0400",7,"XYZ","2.093000000000001"</P> <P>Am also unable to use an eval command and add a host field, Because the query is for an extract and I might need to add multiple hosts.<BR /> So please could some one help me with an extract in the below format</P> <P>_time, Host, all,0,1,2,3,4,5,6,7</P> Wed, 30 Sep 2020 01:44:16 GMT https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447240#M191212 johnsasikumar 2020-09-30T01:44:16Z https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447241#M191213 <P>what happens if inyour first code, you just tinker with the timechart a bit</P> <PRE><CODE>| timechart span=5m eval(round(avg(Percent_CPU_Load),0)) ,values(host) by CPU </CODE></PRE> Wed, 14 Aug 2019 19:25:05 GMT https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447241#M191213 Sukisen1981 2019-08-14T19:25:05Z https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447242#M191214 <P>Hi Sukisen,<BR /> Timechart command doesn’t accept a second argument. So it’s throwing an error.</P> Thu, 15 Aug 2019 02:24:11 GMT https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447242#M191214 johnsasikumar 2019-08-15T02:24:11Z https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447243#M191215 <P>Hi sukisen, <BR /> Timechart command is not taking a second argument, so it errors out. Any other ideas pls</P> Thu, 15 Aug 2019 02:26:11 GMT https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447243#M191215 johnsasikumar 2019-08-15T02:26:11Z https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447244#M191216 <P>hi @johnsasikumar the issue is with the renaming try this. Timechart won;t take more than 1 field AFTER the by clause , but there are no restrictions before the by clause</P> <PRE><CODE>| timechart span=5m eval(round(avg(Percent_CPU_Load),0)) as cpu_load ,values(host) as host by CPU </CODE></PRE> Thu, 15 Aug 2019 06:04:20 GMT https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447244#M191216 Sukisen1981 2019-08-15T06:04:20Z https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447245#M191217 <P>Hi @Sukisen1981 <BR /> I did try and rename, it works when I give one host. But it doesn’t work for multiple hosts. <BR /> When I add an additional host it doesn’t work</P> Thu, 15 Aug 2019 08:39:28 GMT https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447245#M191217 johnsasikumar 2019-08-15T08:39:28Z https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447246#M191218 <P>in your first code having the timechart, what if you also extract the host using multikv?<BR /> source=cpu host="XYZ"<BR /> | multikv fields CPU pctIdle host</P> <P>and then apply the timechart with rename?</P> Thu, 15 Aug 2019 10:07:37 GMT https://community.splunk.com/t5/Splunk-Search/UNIX-CPU-data-extraction-for-multiple-hosts/m-p/447246#M191218 Sukisen1981 2019-08-15T10:07:37Z