All Apps and Add-ons

How to caculate percentage of memory used value in each message and create time chart to show percentage value?

hungln9
Explorer

Hi Teams,

I am newbie to splunk, I have log message like this:

10/04/2022
10:12:31.000
 
START RequestId: 46618528-6242-4eee-97b2-270e875bac1e Version: 165 END RequestId: 46618528-6242-4eee-97b2-270e875bac1e REPORT RequestId: 46618528-6242-4eee-97b2-270e875bac1e Duration: 68.98 ms Billed Duration: 69 ms Memory Size: 256 MB Max Memory Used: 170 MB START RequestId: 9a8f3f1e-aa03-40d9-a064-bb10a47a92eb Version: 163 END RequestId: 9a8f3f1e-aa03-40d9-a064-bb10a47a92eb REPORT RequestId: 9a8f3f1e-aa03-40d9-a064-bb10a47a92eb Duration: 3.76 ms Billed Duration: 4 ms Memory Size: 256 MB Max Memory Used: 184 MB

 

I want to get MaxMemory Used value as percentage (Max Memory Used/Memory Size) in each message and create time chart to show this value. Can anyone help me in this!

Labels (1)
0 Karma

hungln9
Explorer

Thank you all

In my case it works with the below query:


index=my_index
| rex max_match=0 "Memory Size:\s(?<max_memory>\d+)\sMB"
| rex max_match=0 "Max Memory Used:\s(?<mem_used>\d+)\sMB"
| eval mem_used_perc=round((mem_used/max_memory)*100,2)
| timechart max(mem_used_perc) by source

hungln9_1-1650254005178.png

 

I want to add a condition to create an alarm when the mem_used_perc is over 80, but it does not work even I tried with value mem_used_perc >10. Below is my query:

index=my_index*
| rex max_match=0 "Memory Size:\s(?<max_memory>\d+)\sMB"
| rex max_match=0 "Max Memory Used:\s(?<mem_used>\d+)\sMB"
| eval mem_used_perc=round((mem_used/max_memory)*100,2)
| timechart max(mem_used_perc) by source
| where mem_used_perc>80

hungln9_2-1650254270348.png

 

@tshah-splunk , @ITWhisperer , can you guys help me to correct it?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Remove the timechart command

Given that you are looking for max values, you could just look for events which meet this criteria.

hungln9
Explorer

Many thanks @ITWhisperer 

In my case, it works with the below query:

index=my_index
| rex max_match=0 "Memory Size:\s(?<max_memory>\d+)\sMB"
| rex max_match=0 "Max Memory Used:\s(?<mem_used>\d+)\sMB"
| eval mem_used_perc=round((mem_used/max_memory)*100,2)
| where mem_used_perc>80
| timechart max(mem_used_perc) by source



0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could extract the values with rex.

| rex max_match=0 "Memory Size:\s(?<max_memory>\d+)\sMB"
| rex max_match=0 "Max Memory Used:\s(?<mem_used>\d+)\sMB"

This will pick up both sets of values from your message in multi-value fields.

Do you want just one of them or do you want to work with both?

tshah-splunk
Splunk Employee
Splunk Employee

Hey @hungln9,

You can use the eval function to perform arithmetical operations on the field values. Below is an expression that you can add to your search.

<<your_base_query>>
| eval mem_used_perc=round((mem_used/max_memory)*100,2)
| timechart span=<<time_span_interval>> mem_used_perc

 

PS: The above expression is written with the assumption that Max Memory Used is stored under field mem_used and Memory Size is stored under max_memory field.

---
If you find the answer helpful, an upvote/karma is appreciated
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...