All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to modify a function in a report for Splunk App for Unix and Linux?

soleblazer
Engager
‎08-05-2014 11:19 AM

Hi there.

I'm fairly new to Splunk, so apologize if this is an easy one. I have setup Splunk's App for Unix..its collecting all the info very well from about 10 servers. My question is about the Reports that it provides. In the search app, if I go to reports I see lots of great reports created by the Splunk App for Unix. There is one that shows load average. I want to modify that so I can only show just certain groups of hosts. If I edit, instead of the search language, I just see a function in the search bar called Percent_Load_by_Host(*)

I'd like to be able to do something like 'Percent_Load_by_Host(server1,server3,etc) but if I enter more than one field it complains. So my question is, how can I modify this report and be able to use it for more than just showing the load average for everything? Thank you very much, still learning this.

0 Karma
Reply

somesoni2
Revered Legend
‎08-05-2014 11:37 AM

It is a macro and its definitions is like this (macros.conf)

[Percent_Load_by_Host(1)]
args = host
definition = `os_index` `memory_sourcetype` host=$host$ | timechart avg(loadAvg1mi) by host

Change the defintion to something like this

[Percent_Load_by_Host(1)]
    args = host
    definition = `os_index` `memory_sourcetype` [|gentimes start=-1 | eval host="\"".$host$."\"" | table host | makemv host delim="," | mvexpand host ] | timechart avg(loadAvg1mi) by host

Now you can pass "*" or comma separated list of host (host1,host2,host3).

0 Karma
Reply

soleblazer
Engager
‎08-06-2014 07:12 AM

Hi, I found the macros.conf file for this and commented out the original macro and replaced with what you gave. I get this error when I try and run the report now, I am pretty new to this so honestly dont know which part would be causing...

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*."\""'.

If its an easy one I would appreciate it 🙂 Thank you for the help!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...