Hi,
i have a cronjob which has some performance related scripts which run for every 5 mins and sends output to indexed folder.
attaching the top command output: link text
I'd like respective graphs using Unix top command output. How can we create the visualizations by using top output? any help is appreciated
First make sure that each run's output is treated as a single event:
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Configureeventlinebreaking
Then use multikv
to create multiple events from that:
http://blogs.splunk.com/2007/08/23/ripping-mulitline-events-at-seach-time/
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Multikv
For uptime, you do not multikv
, just send the entire output in as a single event and use a field extraction like this:
... | rex "(?<time>.*)\s+up\s+(?<updays>.*)\s+days,\s+(?<uphours>\d+):(?<upminutes>\d+),\s+(?<num_users>\d+)\s+users,\s+load\s+average:\s+(?<avgload_1minute>.+),\s+(?<avgload_5minutes>.+),\s+(?<avgload_15minutes>.+)"
Thank you,I was not able to copy my output.
Usually when we run uptime command in Linux it shows load average with 3 values delimited by a comma.
Can we visualize these load average values in any kind of chart.
You can then add this:
... | timechart avg(avgload*) BY host
First make sure that each run's output is treated as a single event:
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Configureeventlinebreaking
Then use multikv
to create multiple events from that:
http://blogs.splunk.com/2007/08/23/ripping-mulitline-events-at-seach-time/
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Multikv
thank you,i am checking and working on it,i will update on this thread once i implement the same
Hi,
i am working on uptime command.can we show below uptime load average results in line chart?
13:43:55 up 74 days, 4:08, 2 users, load average: 0.11, 0.05, 0.01
i have written a script which display output like below.can we create any kind of chart with below out put
Post the output of the script here.
Is the output of whole command available in Splunk as part of one event?
No,
when i index the output,i selected source type as generic_single_line,so its displaying each line as one event.
i am not very sure,which one is good for displaying like total output as one event or each line as one event.
will it work if i make it as one event?
can we show them based on top output like
total memory
used memory
free and cached
total swap
used swap
free and buffered swap
top users consumed CPU,memory and PID