All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to modify a function in a report for Splunk App for Unix and Linux?

soleblazer
Engager
‎08-05-2014 11:19 AM

Hi there.

I'm fairly new to Splunk, so apologize if this is an easy one. I have setup Splunk's App for Unix..its collecting all the info very well from about 10 servers. My question is about the Reports that it provides. In the search app, if I go to reports I see lots of great reports created by the Splunk App for Unix. There is one that shows load average. I want to modify that so I can only show just certain groups of hosts. If I edit, instead of the search language, I just see a function in the search bar called Percent_Load_by_Host(*)

I'd like to be able to do something like 'Percent_Load_by_Host(server1,server3,etc) but if I enter more than one field it complains. So my question is, how can I modify this report and be able to use it for more than just showing the load average for everything? Thank you very much, still learning this.

0 Karma
Reply

somesoni2
Revered Legend
‎08-05-2014 11:37 AM

It is a macro and its definitions is like this (macros.conf)

[Percent_Load_by_Host(1)]
args = host
definition = `os_index` `memory_sourcetype` host=$host$ | timechart avg(loadAvg1mi) by host

Change the defintion to something like this

[Percent_Load_by_Host(1)]
    args = host
    definition = `os_index` `memory_sourcetype` [|gentimes start=-1 | eval host="\"".$host$."\"" | table host | makemv host delim="," | mvexpand host ] | timechart avg(loadAvg1mi) by host

Now you can pass "*" or comma separated list of host (host1,host2,host3).

0 Karma
Reply

soleblazer
Engager
‎08-06-2014 07:12 AM

Hi, I found the macros.conf file for this and commented out the original macro and replaced with what you gave. I get this error when I try and run the report now, I am pretty new to this so honestly dont know which part would be causing...

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*."\""'.

If its an easy one I would appreciate it 🙂 Thank you for the help!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...