- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Can you help me make a search string that returns ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an assignment, where the events under contents log measurements of diskusage of a Linux host.
read_ops |write_ops |read_KB |write_KB |servce_time |wait_time| device_bandwith_utilization(%) \ fields
The question is: what will the search query be here?
i need for example to make a search that makes a graph over field device_bandwith_utilization over time:
What i am thinking will be the correct answer is the following:
index="main" host="linux" collection="device_bandwith_utilization"
|timechart values(collection), then choose the tab visualization
does this seems correct for you guys ?
i am not able to test this because this events are just on paper.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If these are your only fields in the Event:
read_ops |write_ops |read_KB |write_KB |servce_time |wait_time| device_bandwith_utilization
I do not see and field called collection so your query might more likely start with:
index="main" host="linux" device_bandwith_utilization=*
In addition you've used the values() function within timechart. That doesn't seem to make huge sense in this scenario as is may return to much values if you choose a larger timeframe.
What you whant to use are aggregate functions such as avg() min() max() p75()...
index="main" host="linux" device_bandwith_utilization=*
| timechart avg(device_bandwith_utilization) as "Average BW utilization"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If these are your only fields in the Event:
read_ops |write_ops |read_KB |write_KB |servce_time |wait_time| device_bandwith_utilization
I do not see and field called collection so your query might more likely start with:
index="main" host="linux" device_bandwith_utilization=*
In addition you've used the values() function within timechart. That doesn't seem to make huge sense in this scenario as is may return to much values if you choose a larger timeframe.
What you whant to use are aggregate functions such as avg() min() max() p75()...
index="main" host="linux" device_bandwith_utilization=*
| timechart avg(device_bandwith_utilization) as "Average BW utilization"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@back2root i have some other questions which i have tried to answer, hope you can tell me if i am on right path.
1)Make a search that sums read_ops and write_ops(Disk io)
Ans:
index="main" host="linux" read_ops="" write_ops=""
|eval sum=read_ops+write_ops
2)Make a search that finds the heighest disk io for a time period
Ans:
index="main" host="linux" write_ops="*"
|stats max(count) by write_ops
3)Make search that finds the wait_time over 10
Ans:
index="main" host="linux" wait_time="*" wait_time>10
4)Make a search that finds write_kB/write_ops and gives the overall average for the entire search time
Ans:
index="main" host="linux" write_KB="" write_ops=""
|eval result = write_kB/write_ops //calculates
|stats avg(result) //finds the average
|timechart count by result // for the entire search time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@back2root I have some other questions which i have tried to answer, could you see if i am on the right path ?
1)Make a search that sums read_ops and write_ops(disk io) per event(log line)
Ans:
Index="main" host="host" read_ops="* "write_ops="*"
|eval sum = read_ops + write_ops
2) Make a search thats finds det heighest disk io for a time period
Ans:
Index="main" host="host" "write_ops="*"
|stats max(count) by write_ops
3)Make search finds wait_time over 10
Ans:
Index="main" host="host" wait_time="*" wait_time>10
4) Make a search that finds write_KB/write_ops and gives the overall average on the entire time
Ans:
Index="main" host="host" write_KB=""write_ops=""
|eval result=write_KB/write_ops //calculate
|stats avg(result) //the average of the result
|timechart count by result //For the entire search time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for clearing this up for me 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@aatha89, What Add-on are you using to collect the data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just have this assignment on paper format, and havent been able to use any add-on
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
