Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Generate graph from 'CPU RAM process' log

splunk_zen
Builder
‎04-09-2012 04:11 AM

How should I configure the Search (and Report) so to get a CPU & RAM line chart (the values not a count) by process?

This is my current log file format,

1.3 0.1 python

2.9 11.3 /usr/libexec/mysqld --basedir=/usr

2.0 0.1 sqlplus

0.0 0.1 ./smt_collector

0.0 0.0 ora_dia0_zabbix

0.0 0.0 /opt/ptin/zabbix/sbin/zabbix_agentd

0.0 0.0 /opt/ptin/zabbix/sbin/zabbix_agentd

0.1 0.9 splunkd

0.1 0.2 ./uzo_collector

0.3 0.5 /bin/sh

This is my current Search,

source="/opt/splunk/monitoring_logs/ps.log" | rex field=_raw "(?<field1>\d*) (?<field2>\d*) (?<field3>\s*)" | timechart
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-09-2012 06:47 AM

Do these rex extractions really work, e.g. does \d* match 0.1?

If it doesn't, I'd try

rex field=_raw "(?<field1>[\S]+)\s+(?<field2>\S+)\s+(?<field3>.*)$"

As for the charting, have you tried the "Advanced Charting" wizard? I believe that it is still found under the "Dashboards & Views" menu in the Search app. The following search gave what I believe is what you want;

your_search| multikv noheader=t | rex (?<CPU>\S+)\s+(?<MEM>\S+)\s+(?<PROCESS>.*)$ | timechart values(CPU) AS CPU_usage values(MEM) AS Memory_usage by PROCESS

The charting options were, chart type: line, Multi-series mode: combined, Missing values: connect.

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-09-2012 06:47 AM

Do these rex extractions really work, e.g. does \d* match 0.1?

If it doesn't, I'd try

rex field=_raw "(?<field1>[\S]+)\s+(?<field2>\S+)\s+(?<field3>.*)$"

As for the charting, have you tried the "Advanced Charting" wizard? I believe that it is still found under the "Dashboards & Views" menu in the Search app. The following search gave what I believe is what you want;

your_search| multikv noheader=t | rex (?<CPU>\S+)\s+(?<MEM>\S+)\s+(?<PROCESS>.*)$ | timechart values(CPU) AS CPU_usage values(MEM) AS Memory_usage by PROCESS

The charting options were, chart type: line, Multi-series mode: combined, Missing values: connect.

Hope this helps,

Kristian

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-09-2012 12:20 PM

You're most welcome 🙂 /k

0 Karma
Reply
Solved! Jump to solution

splunk_zen
Builder
‎04-09-2012 09:57 AM

Thanks kristian. Like you've already guessed I'm still not experienced in the search parameters, I'll take a look into multikv and the other structures.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...