Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use join command to output in graph dashboard?

jackin
Path Finder
‎03-24-2022 02:58 AM

Hi,

I am using the below query to bring the output in graph dashboard but this query gives Disk memory values is same . I have attached the output also. Can anyone help me 

Query:

index=oswin sourcetype="Perfmon:Processor" host=COPYCAR01 
| timechart avg(cpu_load_percent) as CPU span=15min 
| join type=left host
[| mstats avg("Memory.%_Committed_Bytes_In_Use") as Memory WHERE index=oswinperf AND host=COPYCAR01 span=15min ] 
| join type=left host
[| mstats avg("LogicalDisk.%_Free_Space") as Diskfree WHERE index=oswinperf AND host=COPYCAR01 span=15min 
| eval DISK=100 - Diskfree 
| table _time,DISK]

 

Output:

_time               CPU                  DISK            Memory
2022-03-24 09:00:00 55.78524325650826 57.29944034187627 11.84846114177454
2022-03-24 09:15:00 59.38775699798989 57.29944034187627 11.84846114177454
2022-03-24 09:30:00 56.71582822628451 57.29944034187627 11.84846114177454

 

Labels (2)
Labels
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎03-24-2022 06:12 AM

You are getting the same because you are joining by host and not by host/_time

Since you're getting already metrics data why not use CPU metrics data as well? That would make you search something like this:

| mstats avg("Processor.%_Processor_Time") AS CPU avg("Memory.%_Committed_Bytes_In_Use") as Memory avg("LogicalDisk.%_Free_Space") as Diskfree WHERE index=oswinperf AND host=COPYCAR01 span=15min 
| eval DISK=100 - Diskfree 
| table _time CPU Memory DISK


Way better since you do not need to use join.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

jackin
Path Finder
‎03-24-2022 06:35 AM

Hi@diogofgm 

 Actually the cpu metric did not return the correct values. thats why

can you help me to bring the output?

0 Karma
Reply

venky1544
Builder
‎03-24-2022 07:54 AM

Hi @jackin 

what is the object and counter configured for you cpu metrics in your splunk and is your CPU data in sourcetype="Perfmon:Processor" i thought it is usually in different sourcetype 

like Memory.%_Committed_Bytes_In_Use  is for memory 

and LogicalDisk.%_Free_Space  is for free space 

 

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎03-24-2022 07:59 AM

In search and report ,in the analytics tab you can check which metrics you're collecting

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...