I would like to graph the average page response time vs CPU utilization on a specific server over a given time period.
What I envision is CPU utilization on the y-axis (ascending), with the corresponding response time on the x-axis (ascending as well).
Logic tells me you can associate these two values using the _time field.
If someone could point me in the right direction, I would appreciate it.
In Splunk, the Y-axis is always the numeric result of a function within one of the reporting commands.
Given a set of input events that looked something like this
[timestamp] host CPUutil% ReponseTimeinSec other stuff
You could do something like this
yoursearchhere | bin _time span=5m | stats avg(cpu_utilization) as CPU avg(response_time_in_sec) as ResponseTime by _time | eval series="CPU,ResponseTime" | makemv delim="," series | mvexpand series | eval Yvalue = if (series=="CPU",CPU,ResponseTime) | timechart span=5m sum(Yvalue) as Y by series
This plays some games to create two data series, one for CPU and one for ResponseTime, and then graphs them together. You could also do this by running two searches and combining the results, but that might require searching the data twice.
Note that the scale for the CPU utilization will run from 0 to 100%. I have no idea what the scale for the response time might be in your environment. Mapping these two series on a single Y axis may not be easy to read if their scales are very different.
Finally, this solution depends on having the CPU utilization and the response time available in the same events. If the data is different, then the solution could be either much easier or harder.
If this answer is not helpful, please provide more specifics about the data!
| bin _time span=10s
| stats avg(time_taken) as time1 by _time
| eval Time=time1/1000
[search host=server1 sourcetype="CPU Load" counter="% Processor Time" | bin _time span=10s | stats avg(Value) as CPU by _time]
| eval series="CPU, Time"
| makemv delim="," series
| mvexpand series
| eval Yvalue = if (series=="CPU", CPU, Time)
| timechart span=10s sum(Yvalue) as Y by series
This works the way you describe it, however I am looking for something slightly different.
First, some notes on your original answer. I did indeed need to scale my response time (from ms to s).
Secondly, CPU and response time are not available in the same events. I think I worked my way through this however. I end up with the following: