Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Hi I'm new to splunk,. and I have the code to generate a dashboard Panel to show the top 5 Servers with high CPU. but I only get 1 server at 68% ..

jampar12
New Member
‎01-22-2018 08:56 AM

index=b2b_os host=* sourcetype=top pctMEM=*| transaction host _time | streamstats window=1 global=f sum(pctMEM) as MEM | table host MEM |top | dedup host

Tags (1)
0 Karma
Reply

nickhills
Ultra Champion
‎01-22-2018 11:37 AM

Try this (untested) search which I think may be closer to what you need:

index=b2b_os sourcetype=top pctMEM=*| streamstats sum(pctMEM) as Mem |top 5 Mem | table host Mem
If my comment helps, please give it a thumbs up!
0 Karma
Reply

jampar12
New Member
‎01-22-2018 12:43 PM

thank you .. it's working good now .. Just one more small ask ..

I need to add if the Mem >= 10 % then turn green and if it's >=50& turn yellow and if it's 90% turn red ..

0 Karma
Reply

nickhills
Ultra Champion
‎01-22-2018 01:36 PM

You can use rangemap to set the target colours for a given result, but this wont colour a table for you (you would need to modify the CSS for that) but if your using charts, this should set the colours as per your definitions

...| rangemap field=Mem green=0-49 yellow=50-89 default=red|...

http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Rangemap

If my comment helps, please give it a thumbs up!
0 Karma
Reply

horsefez
Motivator
‎01-22-2018 11:27 AM

Hi jampar12,

please provide us with some sample events and also your pctMEM= at the beginning of your search has no value assigned, as well as the host-field

0 Karma
Reply

nickhills
Ultra Champion
‎01-22-2018 11:33 AM

Also |transaction with _time will only group events which share the same exact timestamp - probably not what you want.

Also I presume you mean memory use, rather than high CPU?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...