All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to modify a function in a report for Splunk App for Unix and Linux?

soleblazer
Engager
‎08-05-2014 11:19 AM

Hi there.

I'm fairly new to Splunk, so apologize if this is an easy one. I have setup Splunk's App for Unix..its collecting all the info very well from about 10 servers. My question is about the Reports that it provides. In the search app, if I go to reports I see lots of great reports created by the Splunk App for Unix. There is one that shows load average. I want to modify that so I can only show just certain groups of hosts. If I edit, instead of the search language, I just see a function in the search bar called Percent_Load_by_Host(*)

I'd like to be able to do something like 'Percent_Load_by_Host(server1,server3,etc) but if I enter more than one field it complains. So my question is, how can I modify this report and be able to use it for more than just showing the load average for everything? Thank you very much, still learning this.

0 Karma
Reply

somesoni2
Revered Legend
‎08-05-2014 11:37 AM

It is a macro and its definitions is like this (macros.conf)

[Percent_Load_by_Host(1)]
args = host
definition = `os_index` `memory_sourcetype` host=$host$ | timechart avg(loadAvg1mi) by host

Change the defintion to something like this

[Percent_Load_by_Host(1)]
    args = host
    definition = `os_index` `memory_sourcetype` [|gentimes start=-1 | eval host="\"".$host$."\"" | table host | makemv host delim="," | mvexpand host ] | timechart avg(loadAvg1mi) by host

Now you can pass "*" or comma separated list of host (host1,host2,host3).

0 Karma
Reply

soleblazer
Engager
‎08-06-2014 07:12 AM

Hi, I found the macros.conf file for this and commented out the original macro and replaced with what you gave. I get this error when I try and run the report now, I am pretty new to this so honestly dont know which part would be causing...

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*."\""'.

If its an easy one I would appreciate it 🙂 Thank you for the help!

0 Karma
Reply
Get Updates on the Splunk Community!

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...