I currently show data for one server at a time on a dashboard, with panels for RAM usage, CPU Load (1min, 5min & 15min averages), CPU Utilization, Memory Usage by Command, and some data from the PS command. I'd like to create a dashboard with most of the same data, but for multiple machines at once. Adding multiple servers data to these panels crowds it tremendously, so I was wondering if Sparklines might be my answer, maybe something like
last 4 hours
| machine name | CPU usage | memory usage |
| machine 1 | cpu-sparkline | memory usage sparkline |
This search shows data from the top header and presents it in a timechart format
index=os sourcetype=top_header host=hostname | timechart span=1m values(mem_total) values(mem_used) by host
This search shows a timechart of data from the top header:
index=os sourcetype=top_header host=hostname| eval cpuUsage = 100-cpu_idle | eval host=upper(host) | timechart span=5m values(cpuUsage) by host useother=f limit=50
Is what I'm looking for possible?
Try this:
index=os sourcetype=top_header host=hostname | stats sparkline(avg(mem_total),1m) sparkline(avg(mem_used),1m) BY host
Try this:
index=os sourcetype=top_header host=hostname | stats sparkline(avg(mem_total),1m) sparkline(avg(mem_used),1m) BY host
Hi @banderson7,
You might want to check out the Dashboard Examples app to get some ideas on different ways to format a table for multiple resources, including options with sparklines.
https://splunkbase.splunk.com/app/1603/
See the "table elements" section for specific table examples.
Also, depending on how you want to present the metrics you are tracking, I wonder if you might be able to use a horizon chart in one or more of the panels you are creating. If you are working with the latest software version, you could consider this custom visualization app.
Here are some docs:
http://docs.splunk.com/Documentation/CustomViz/1.0.0/HorizonChart/HorizonChartIntro
And the app on Splunkbase:
https://splunkbase.splunk.com/app/3117/
Hope this helps!
Thanks, will check this out when I've upgraded my SHs to 6.4
Spakline can only be used in conjunction with stats
or chart
commands. In your example, you could change you search to
index=os sourcetype=top_header host=hostname| eval cpuUsage = 100-cpu_idle | eval host=upper(host) | bin _time span=5m | chart values(cpuUsage) over _time by host useother=f limit=50
However, you will get one sparkline for each host. So if you have 5 hosts, you'll end up with 5 sparklines for each time span.
http://docs.splunk.com/Documentation/Splunk/6.2.4/Search/Addsparklinestosearchresults
So this ran, and I can get a line graph, but don't get a Sparkline in Visualization. Where should I see that?
My bad... change the chart
command to this
.... | chart sparkline values(cpuUsage) over _time by host useother=f limit=50