Splunk v6.6.5
I have my Perfmon CSVs from my Domain Controllers imported into Splunk for a dashboard. When the CSV is ingested by Splunk, it associates the column values to the appropriate CSV headers. The headers all contain the hostname in them. It also replaces all the special characters with underscores. This makes combining them a real trick.
CSV Sample 1:
MyDC01_Processor__Total__ Processor TimeMyDC01_Processor__Total__ Idle Time
1288
CSV Sample 2:
MyDC02_Processor__Total__ Processor TimeMyDC02_Processor__Total__ Idle Time
892
I'm trying to create a dashboard that shows avg, max and min (for example). My search as such is the closest I've gotten. But it just gives me the field names as the field values.
index=perfmon sourcetype=dc_perfmon
| fields host, "*_Processor__Total__ *"
| foreach "*_Processor__Total__ *"
[
eval "<<MATCHSEG2>>" = mvsort(mvappend("<<MATCHSEG2>>","<<FIELD>>"))
]
which provides me with output like so (Processor Time and Idle time are both MV fields):
host:MyDC01
MyDC01_Processor__Total__ Processor Time12
MyDC01_Processor__Total__ Idle Time88
Processor TimeProcessor Time<br/>MyDC02_Processor__Total__ Processor Time
Idle TimeIdle Time<br/>MyDC02_Processor__Total__ Idle Time
hostMyDC02
MyDC02_Processor__Total__ Processor Time12
MyDC02_Processor__Total__ Idle Time88
Processor TimeProcessor Time<br/>MyDC02_Processor__Total__ Processor Time
Idle TimeIdle Time<br/>MyDC02_Processor__Total__ Idle Time
I've tried several variations. I can do it if I separate all of the foreach statements out per field, but that takes so much memory Splunk usually chunks up and dies (My performance CSVs have about 30 fields after all). It only shows my desired field name and the full name of the last unmodified field. I've asked our internal Splunk experts, but they have no solutions. Any advice would be awesome.
Desired outcome would be something like so:
hostMyDC01
MyDC01_Processor__Total__ Processor Time12
MyDC01_Processor__Total__ Idle Time88
Processor Time12
Idle Time88
