Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
All Apps and Add-ons
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk for *nix - Memory By host not showing prope...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nirt
Path Finder
09-04-2012
06:16 AM
Hi,
I'm using Splunk for Unix and Linux and when I go to the Memory by Host, it shows me the information however I do not have it split up by Host when I have 'all hosts' picked.
I'm expecting this to view just like CPU by Host
Any idea?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dart
Splunk Employee
09-04-2012
08:15 AM
The default graphs in that dashboard would lead to an 'extra' dimension as they have mulitple series on the same chart.
You could split out each of the functions:
## $SPLUNK_HOME/etc/apps/unix/local/macros.conf
## existing macro in the Dashboard
[Mem_Usage_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free, median(memUsedPct) as Percent_Mem_Used, median(swapUsedPct) as Percent_Swap
## new macros
[Mem_Free_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free by host
[Mem_Used_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memUsedPct) as Percent_Mem_Used by host
[Mem_Swap_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(swapUsedPct) as Percent_Swap by host
And then switch out the view by placing the below into $SPLUNK_HOME/etc/apps/unix/local/data/ui/views/mem_by_host.xml
<form class="formsearch">
<label>Memory by Host</label>
<fieldset>
<input type="dropdown" token="host" searchWhenChanged="true">
<label>Host:</label>
<default>localhost</default>
<populatingSearch fieldForValue="host" fieldForLabel="host">| metadata type=hosts index=os</populatingSearch>
<choice value="*">all</choice>
</input>
<input type="time" searchWhenChanged="true"/>
</fieldset>
<row>
<html><center><h1>Memory by Host</h1></center></html>
</row>
<row>
<chart>
<title>Percent Memory Free by Host</title>
<searchTemplate>`Mem_Free_for_Host($host$)`</searchTemplate>
<option name="charting.chart">line</option>
<option name="charting.secondaryAxisTitle.text">% Mem Free</option>
</chart>
<chart>
<title>Percent Memory Used by Host</title>
<searchTemplate>`Mem_Used_for_Host($host$)`</searchTemplate>
<option name="charting.chart">line</option>
<option name="charting.secondaryAxisTitle.text">% Mem Used</option>
</chart>
<chart>
<title>Percent Memory Swap by Host</title>
<searchTemplate>`Mem_Swap_for_Host($host$)`</searchTemplate>
<option name="charting.chart">line</option>
<option name="charting.secondaryAxisTitle.text">% Mem Swap</option>
</chart>
</row>
<row>
<table>
<title>Physical Memory by Host</title>
<searchTemplate>`Memory_Hardware_by_Host($host$)`</searchTemplate>
</table>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dart
Splunk Employee
09-04-2012
08:15 AM
The default graphs in that dashboard would lead to an 'extra' dimension as they have mulitple series on the same chart.
You could split out each of the functions:
## $SPLUNK_HOME/etc/apps/unix/local/macros.conf
## existing macro in the Dashboard
[Mem_Usage_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free, median(memUsedPct) as Percent_Mem_Used, median(swapUsedPct) as Percent_Swap
## new macros
[Mem_Free_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free by host
[Mem_Used_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memUsedPct) as Percent_Mem_Used by host
[Mem_Swap_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(swapUsedPct) as Percent_Swap by host
And then switch out the view by placing the below into $SPLUNK_HOME/etc/apps/unix/local/data/ui/views/mem_by_host.xml
<form class="formsearch">
<label>Memory by Host</label>
<fieldset>
<input type="dropdown" token="host" searchWhenChanged="true">
<label>Host:</label>
<default>localhost</default>
<populatingSearch fieldForValue="host" fieldForLabel="host">| metadata type=hosts index=os</populatingSearch>
<choice value="*">all</choice>
</input>
<input type="time" searchWhenChanged="true"/>
</fieldset>
<row>
<html><center><h1>Memory by Host</h1></center></html>
</row>
<row>
<chart>
<title>Percent Memory Free by Host</title>
<searchTemplate>`Mem_Free_for_Host($host$)`</searchTemplate>
<option name="charting.chart">line</option>
<option name="charting.secondaryAxisTitle.text">% Mem Free</option>
</chart>
<chart>
<title>Percent Memory Used by Host</title>
<searchTemplate>`Mem_Used_for_Host($host$)`</searchTemplate>
<option name="charting.chart">line</option>
<option name="charting.secondaryAxisTitle.text">% Mem Used</option>
</chart>
<chart>
<title>Percent Memory Swap by Host</title>
<searchTemplate>`Mem_Swap_for_Host($host$)`</searchTemplate>
<option name="charting.chart">line</option>
<option name="charting.secondaryAxisTitle.text">% Mem Swap</option>
</chart>
</row>
<row>
<table>
<title>Physical Memory by Host</title>
<searchTemplate>`Memory_Hardware_by_Host($host$)`</searchTemplate>
</table>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dart
Splunk Employee
09-06-2013
01:36 AM
Thanks! I've edited the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alanfinlay
Path Finder
09-06-2013
12:05 AM
This works great, but one minor typo in the macros:
new macros
[Mem_Free_by_Host(1)]
Should be
new macros
[Mem_Free_for_Host(1)]
Get Updates on the Splunk Community!
Updated Team Landing Page in Splunk Observability
We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
