Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find the max and min cpu per host

manapuna
New Member
‎05-18-2020 07:35 PM

I have four hosts. H1, H2, H3, H4
each host have cpu_load

I want to find min cpu_load and max cpu_load. Find the min/max out of all host. In My scenario out of 4 host, find the min/max.

| stats min(host of cpu_load) as Min, max(host of cpu_load) | eval diff=max-min | alert based on diff

Any help is appreciated. Thank you

Labels (2)
Tags (4)
0 Karma
Reply

manapuna
New Member
‎05-19-2020 07:24 AM

I changed the question a bit.

... | stats count by host

output

H1 200
H2 340
H3 400
H4 250

The count of each host is different. How would you eval min_value and max_value of these host counts?

0 Karma
Reply

to4kawa
Ultra Champion
‎05-19-2020 08:08 AM 
....
| stats count by host
| eventstats max(count) as max_value min(count) as min_value
| eval diff = max_value - min_value

try eventstats

0 Karma
Reply

chinmoya
Communicator
‎05-19-2020 04:56 AM

try this:

| stats max(cpu_load) as max_tmp min(cpu_load) as min_tmp by host
| eventstats max(max_tmp) as max_final min(min_tmp) as min_final
| eval max_flag=if(max_tmp=max_final,1,0) , min_flag=if(min_tmp=min_final,1,0)
| where min_flag=1 OR max_flag=1

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎05-18-2020 07:59 PM

|stats max(cpu_load) as max min(cpu_load) as min by host

https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Stats#Stats_function_options

@marycordova
0 Karma
Reply

manapuna
New Member
‎05-19-2020 04:07 AM

mmm.. It didn't do it. Let me ask the question in different way. Lets forget about CPU. Lets say each host is giving you count of sessions or count of traffic.

index=app | stats count by host

result based on 4 host

How would you find max count out of 4 host

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...