All Apps and Add-ons

Splunk for *nix - Memory By host not showing properly

nirt
Path Finder

Hi,
I'm using Splunk for Unix and Linux and when I go to the Memory by Host, it shows me the information however I do not have it split up by Host when I have 'all hosts' picked.
I'm expecting this to view just like CPU by Host

Any idea?

Thanks

0 Karma
1 Solution

dart
Splunk Employee
Splunk Employee

The default graphs in that dashboard would lead to an 'extra' dimension as they have mulitple series on the same chart.

You could split out each of the functions:

## $SPLUNK_HOME/etc/apps/unix/local/macros.conf
## existing macro in the Dashboard
[Mem_Usage_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free, median(memUsedPct) as Percent_Mem_Used, median(swapUsedPct) as Percent_Swap
## new macros
[Mem_Free_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free by host
[Mem_Used_for_Host(1)]
    args = host
    definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart  median(memUsedPct) as Percent_Mem_Used by host
[Mem_Swap_for_Host(1)]
    args = host
    definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart  median(swapUsedPct) as Percent_Swap by host

And then switch out the view by placing the below into $SPLUNK_HOME/etc/apps/unix/local/data/ui/views/mem_by_host.xml

<form class="formsearch">
  <label>Memory by Host</label>

  <fieldset>
      <input type="dropdown" token="host" searchWhenChanged="true">
          <label>Host:</label>
          <default>localhost</default>
          <populatingSearch fieldForValue="host" fieldForLabel="host">| metadata type=hosts index=os</populatingSearch>
          <choice value="*">all</choice>
       </input>  
    <input type="time" searchWhenChanged="true"/>
  </fieldset>

  <row>
    <html><center><h1>Memory by Host</h1></center></html>
  </row>

  <row>
      <chart>
          <title>Percent Memory Free by Host</title>
          <searchTemplate>`Mem_Free_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Free</option>
      </chart>
      <chart>
          <title>Percent Memory Used by Host</title>
          <searchTemplate>`Mem_Used_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Used</option>
      </chart>
      <chart>
          <title>Percent Memory Swap by Host</title>
          <searchTemplate>`Mem_Swap_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Swap</option>
      </chart>
  </row>
  <row>
      <table>
          <title>Physical Memory by Host</title>
          <searchTemplate>`Memory_Hardware_by_Host($host$)`</searchTemplate>
      </table>
  </row>


</form>

View solution in original post

dart
Splunk Employee
Splunk Employee

The default graphs in that dashboard would lead to an 'extra' dimension as they have mulitple series on the same chart.

You could split out each of the functions:

## $SPLUNK_HOME/etc/apps/unix/local/macros.conf
## existing macro in the Dashboard
[Mem_Usage_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free, median(memUsedPct) as Percent_Mem_Used, median(swapUsedPct) as Percent_Swap
## new macros
[Mem_Free_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free by host
[Mem_Used_for_Host(1)]
    args = host
    definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart  median(memUsedPct) as Percent_Mem_Used by host
[Mem_Swap_for_Host(1)]
    args = host
    definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart  median(swapUsedPct) as Percent_Swap by host

And then switch out the view by placing the below into $SPLUNK_HOME/etc/apps/unix/local/data/ui/views/mem_by_host.xml

<form class="formsearch">
  <label>Memory by Host</label>

  <fieldset>
      <input type="dropdown" token="host" searchWhenChanged="true">
          <label>Host:</label>
          <default>localhost</default>
          <populatingSearch fieldForValue="host" fieldForLabel="host">| metadata type=hosts index=os</populatingSearch>
          <choice value="*">all</choice>
       </input>  
    <input type="time" searchWhenChanged="true"/>
  </fieldset>

  <row>
    <html><center><h1>Memory by Host</h1></center></html>
  </row>

  <row>
      <chart>
          <title>Percent Memory Free by Host</title>
          <searchTemplate>`Mem_Free_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Free</option>
      </chart>
      <chart>
          <title>Percent Memory Used by Host</title>
          <searchTemplate>`Mem_Used_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Used</option>
      </chart>
      <chart>
          <title>Percent Memory Swap by Host</title>
          <searchTemplate>`Mem_Swap_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Swap</option>
      </chart>
  </row>
  <row>
      <table>
          <title>Physical Memory by Host</title>
          <searchTemplate>`Memory_Hardware_by_Host($host$)`</searchTemplate>
      </table>
  </row>


</form>

dart
Splunk Employee
Splunk Employee

Thanks! I've edited the answer

0 Karma

alanfinlay
Path Finder

This works great, but one minor typo in the macros:

new macros

[Mem_Free_by_Host(1)]

Should be

new macros

[Mem_Free_for_Host(1)]

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...