Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Generate graph from 'CPU RAM process' log

splunk_zen
Builder
‎04-09-2012 04:11 AM

How should I configure the Search (and Report) so to get a CPU & RAM line chart (the values not a count) by process?

This is my current log file format,

1.3 0.1 python

2.9 11.3 /usr/libexec/mysqld --basedir=/usr

2.0 0.1 sqlplus

0.0 0.1 ./smt_collector

0.0 0.0 ora_dia0_zabbix

0.0 0.0 /opt/ptin/zabbix/sbin/zabbix_agentd

0.0 0.0 /opt/ptin/zabbix/sbin/zabbix_agentd

0.1 0.9 splunkd

0.1 0.2 ./uzo_collector

0.3 0.5 /bin/sh

This is my current Search,

source="/opt/splunk/monitoring_logs/ps.log" | rex field=_raw "(?<field1>\d*) (?<field2>\d*) (?<field3>\s*)" | timechart
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-09-2012 06:47 AM

Do these rex extractions really work, e.g. does \d* match 0.1?

If it doesn't, I'd try

rex field=_raw "(?<field1>[\S]+)\s+(?<field2>\S+)\s+(?<field3>.*)$"

As for the charting, have you tried the "Advanced Charting" wizard? I believe that it is still found under the "Dashboards & Views" menu in the Search app. The following search gave what I believe is what you want;

your_search| multikv noheader=t | rex (?<CPU>\S+)\s+(?<MEM>\S+)\s+(?<PROCESS>.*)$ | timechart values(CPU) AS CPU_usage values(MEM) AS Memory_usage by PROCESS

The charting options were, chart type: line, Multi-series mode: combined, Missing values: connect.

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-09-2012 06:47 AM

Do these rex extractions really work, e.g. does \d* match 0.1?

If it doesn't, I'd try

rex field=_raw "(?<field1>[\S]+)\s+(?<field2>\S+)\s+(?<field3>.*)$"

As for the charting, have you tried the "Advanced Charting" wizard? I believe that it is still found under the "Dashboards & Views" menu in the Search app. The following search gave what I believe is what you want;

your_search| multikv noheader=t | rex (?<CPU>\S+)\s+(?<MEM>\S+)\s+(?<PROCESS>.*)$ | timechart values(CPU) AS CPU_usage values(MEM) AS Memory_usage by PROCESS

The charting options were, chart type: line, Multi-series mode: combined, Missing values: connect.

Hope this helps,

Kristian

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-09-2012 12:20 PM

You're most welcome 🙂 /k

0 Karma
Reply
Solved! Jump to solution

splunk_zen
Builder
‎04-09-2012 09:57 AM

Thanks kristian. Like you've already guessed I'm still not experienced in the search parameters, I'll take a look into multikv and the other structures.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...