We are forwarding our mainframe statistical data from a purchased ISV product into Splunk.
The below information deals with our CPU utilization.
The values associated with the SMF70CIN_xxxx names are our different engine types.
The values associated with the SMF70PDT_nnnn names are processor dispatch times, cut at various times in the time interval.
The values associated with the SMF70CIX_nnnn names are index values to the engine type.
For instance, SMF70PDT entries 0001 thru 0004 refer to the SMF70CIX entries 0001 thru 0004 and point to SMF70CIN_0001, which indicates they are processor dispatch times for the CPs, our general purpose processors.
Likewise, SMF70PDT0005 and 0006 refer to SMF70CIX0005 and 0006 and indicate the entries are for the IIPs, our zIIP specialty engines.
I need to total the SMF70PDT entries for each engine type, labeling them with the values in the SMF70CIN_xxxx name/value pairs.
I've been searching the Splunk Answers for a solution, but likely don't know what keywords to use to properly describe my problem.
I hope my explanation and question make sense. Any help is greatly appreciated, even a "can't be done" answer.
SMF70CIN_0001: CP SMF70CIN_0002: SMF70CIN_0003: IFA SMF70CIN_0004: IFL SMF70CIN_0005: ICF SMF70CIN_0006: IIP SMF70CIX_0001: 0001 SMF70PDT_0001: 89783976 SMF70CIX_0002: 0001 SMF70PDT_0002: 1908676 SMF70CIX_0003: 0001 SMF70PDT_0003: 65 SMF70CIX_0004: 0001 SMF70PDT_0004: 40340832 SMF70CIX_0005: 0006 SMF70PDT_0005: 2462040 SMF70CIX_0006: 0006 SMF70PDT_0006: 23775 SMF70CIX_0007: 0001 SMF70PDT_0007: 696702146 SMF70CIX_0008: 0001 SMF70PDT_0008: 708156256 SMF70CIX_0009: 0001 SMF70PDT_0009: 568186607 SMF70CIX_0010: 0001 SMF70PDT_0010: 488755783 SMF70CIX_0011: 0006 SMF70PDT_0011: 159362721 SMF70CIX_0012: 0006 SMF70PDT_0012: 86652638 SMF70CIX_0013: 0005 SMF70PDT_0013: 534089 SMF70CIX_0014: 0001 SMF70PDT_0014: 74161460 SMF70CIX_0015: 0001 SMF70PDT_0015: 141 SMF70CIX_0016: 0001 SMF70PDT_0016: 85 SMF70CIX_0017: 0001 SMF70PDT_0017: 19617663 SMF70CIX_0018: 0006 SMF70PDT_0018: 6046543 SMF70CIX_0019: 0006 SMF70PDT_0019: 27434 SMF70CIX_0020: 0005 SMF70PDT_0020: 1410129 SMF70CIX_0021: 0004 SMF70PDT_0021: 545731359 SMF70CIX_0022: 0004 SMF70PDT_0022: 565817697 SMF70CIX_0023: 0004 SMF70PDT_0023: 591954605 SMF70CIX_0024: 0004 SMF70PDT_0024: 378145953 SMF70CIX_0025: 0004 SMF70PDT_0025: 102482037 SMF70CIX_0026: 0004 SMF70PDT_0026: 102639379 SMF70CIX_0027: 0004 SMF70PDT_0027: 2659389 SMF70CIX_0028: 0004 SMF70PDT_0028: 91 SMF70CIX_0029: 0001 SMF70PDT_0029: 35572965 SMF70CIX_0030: 0001 SMF70PDT_0030: 224 SMF70CIX_0031: 0001 SMF70PDT_0031: 99 SMF70CIX_0032: 0001 SMF70PDT_0032: 5273212 SMF70CIX_0033: 0006 SMF70PDT_0033: 3508159 SMF70CIX_0034: 0006 SMF70PDT_0034: 446519 SMF70CIX_0035: 0001 SMF70PDT_0035: 2458490 SMF70CIX_0036: 0001 SMF70PDT_0036: 1859409 SMF70CIX_0037: 0001 SMF70PDT_0037: 2688390 SMF70CIX_0038: 0001 SMF70PDT_0038: 5641697 SMF70CIX_0039: 0005 SMF70PDT_0039: 3574955 SMF70CIX_0040: 0004 SMF70PDT_0040: 2802845 SMF70CIX_0041: 0004 SMF70PDT_0041: 2958058 SMF70CIX_0042: 0004 SMF70PDT_0042: 6064567 SMF70CIX_0043: 0004 SMF70PDT_0043: 5966167 SMF70CIX_0044: 0006 SMF70PDT_0044: 543975 SMF70CIX_0045: 0006 SMF70PDT_0045: 525916
For the data above, what is the desired output? Is there any need to consider time or other sets of events or will every search return events that should be considered as 1 set (not multiple sets)?
Thank you for the quick response.
We'll want to sum the processor dispatch time for each interval record created by engine type.
TimeStamp CP IFL ICF IIP (We don't have IFA engines)
Under each engine type and each time interval will be the sum of the SMF70PDT entries for that engine type. With there being 96 15-minute intervals per day, I'd expect a report with 96 entries per day. There will be further eval statements to compute CPU percentage based on the processor dispatch times, but for now I'd like to get past this giant hurdle (in my view) and see if I can figure out the rest.
All the data that you've show is single event or each line is an event in Splunk? Is SMF70CIN_xxxx entries always same (for every 15 mins feed that you get)?
I copied the entries from Splunk for one time interval record. Currently, we receive the same multiple lines, as shown, for each interval record forwarded to Splunk. I don't know what will happen to the number of entries (the 45) if we upgrade the mainframe to a different box or upgrade our operating system. For right now, the SMF70CIN_xxxx entries are the same and static, as these are the engine types IBM has available on their SystemZ boxes.
Is it a single event or multiple event? E.g. if your run your search and do
| stats count do you get 1 or more than 1?
We need to know where the event boundaries are before we can begin with a solution. Your events do not look cut/pasted from the search results area.
I am very much under the impression that I've not done a real good job of explaining what I'm looking at. Any suggestions as to how to make it clearer will be greatly appreciated.