Find the max and min cpu per host

manapuna · ‎05-18-2020

I have four hosts. H1, H2, H3, H4
each host have cpu_load

I want to find min cpu_load and max cpu_load. Find the min/max out of all host. In My scenario out of 4 host, find the min/max.

| stats min(host of cpu_load) as Min, max(host of cpu_load) | eval diff=max-min | alert based on diff

Any help is appreciated. Thank you

manapuna · ‎05-19-2020

I changed the question a bit.

... | stats count by host

output

H1 200
H2 340
H3 400
H4 250

The count of each host is different. How would you eval min_value and max_value of these host counts?

to4kawa · ‎05-19-2020

....
| stats count by host
| eventstats max(count) as max_value min(count) as min_value
| eval diff = max_value - min_value

try eventstats

chinmoya · ‎05-19-2020

try this:

| stats max(cpu_load) as max_tmp min(cpu_load) as min_tmp by host
| eventstats max(max_tmp) as max_final min(min_tmp) as min_final
| eval max_flag=if(max_tmp=max_final,1,0) , min_flag=if(min_tmp=min_final,1,0)
| where min_flag=1 OR max_flag=1

marycordova · ‎05-18-2020

|stats max(cpu_load) as max min(cpu_load) as min by host

https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Stats#Stats_function_options

@marycordova

manapuna · ‎05-19-2020

mmm.. It didn't do it. Let me ask the question in different way. Lets forget about CPU. Lets say each host is giving you count of sessions or count of traffic.

index=app | stats count by host

result based on 4 host

How would you find max count out of 4 host

Find the max and min cpu per host

indexer clustering

indexing performance

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!