- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I currently show data for one server at a time on a dashboard, with panels for RAM usage, CPU Load (1min, 5min & 15min averages), CPU Utilization, Memory Usage by Command, and some data from the PS command. I'd like to create a dashboard with most of the same data, but for multiple machines at once. Adding multiple servers data to these panels crowds it tremendously, so I was wondering if Sparklines might be my answer, maybe something like
last 4 hours
| machine name | CPU usage | memory usage |
| machine 1 | cpu-sparkline | memory usage sparkline |
This search shows data from the top header and presents it in a timechart format
index=os sourcetype=top_header host=hostname | timechart span=1m values(mem_total) values(mem_used) by host
This search shows a timechart of data from the top header:
index=os sourcetype=top_header host=hostname| eval cpuUsage = 100-cpu_idle | eval host=upper(host) | timechart span=5m values(cpuUsage) by host useother=f limit=50
Is what I'm looking for possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=os sourcetype=top_header host=hostname | stats sparkline(avg(mem_total),1m) sparkline(avg(mem_used),1m) BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=os sourcetype=top_header host=hostname | stats sparkline(avg(mem_total),1m) sparkline(avg(mem_used),1m) BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @banderson7,
You might want to check out the Dashboard Examples app to get some ideas on different ways to format a table for multiple resources, including options with sparklines.
https://splunkbase.splunk.com/app/1603/
See the "table elements" section for specific table examples.
Also, depending on how you want to present the metrics you are tracking, I wonder if you might be able to use a horizon chart in one or more of the panels you are creating. If you are working with the latest software version, you could consider this custom visualization app.
Here are some docs:
http://docs.splunk.com/Documentation/CustomViz/1.0.0/HorizonChart/HorizonChartIntro
And the app on Splunkbase:
https://splunkbase.splunk.com/app/3117/
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, will check this out when I've upgraded my SHs to 6.4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Spakline can only be used in conjunction with stats or chart commands. In your example, you could change you search to
index=os sourcetype=top_header host=hostname| eval cpuUsage = 100-cpu_idle | eval host=upper(host) | bin _time span=5m | chart values(cpuUsage) over _time by host useother=f limit=50
However, you will get one sparkline for each host. So if you have 5 hosts, you'll end up with 5 sparklines for each time span.
http://docs.splunk.com/Documentation/Splunk/6.2.4/Search/Addsparklinestosearchresults
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So this ran, and I can get a line graph, but don't get a Sparkline in Visualization. Where should I see that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad... change the chart command to this
.... | chart sparkline values(cpuUsage) over _time by host useother=f limit=50
