Re: How to combine three different source types(CP...

vickgic · ‎09-14-2016

Hi,

I have a problem here, we have three source types named as "CPUtime", "Memory" , "Localnetwork"
CPUtime source types has fields such as object="Processor" counter="% Processor Time" instance="*"
Memory source types has fields such as object="Memory" counter="Committed Bytes"
Local Network source types has fields such as object="Network Interface" counter="Bytes Received/Sec"

Currently I am trying to combine these three source types and calculate avg as percentage put in one report

I have tried almost everything but nothing seems to be working.. Output should be listed host, CPU, Memory,Network in %. Can you please help me with this one?

Thanks
Vick

sundareshr · ‎09-15-2016

Try this

index=xyz (sourcetype=CPUtime OR sourcetype=Memory OR sourcetype=Localnetwork)  (counter="% Processor Time" OR counter="Committed Bytes" OR counter="Bytes Received/Sec") | chart  avg(Value) as values over host by counter

vickgic · ‎09-18-2016

Hi Sundaresh,

Just adding to the above comment I tried using the command eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') 100, 2) |, it shows the value same as like that of the Available Bytes(1342345466) instead of showing in percentage.

Please advise on this also.

Thanks in advance.

Best Regards,
Vick

vickgic · ‎09-15-2016

Hi Sundaresh,

Thanks for providing the command, it was really helpful.

I used the following syntax and the sample output as shown below

index=xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec") | chart max(Value) as values over host by counter

Output:
host %CPUTime Available Bytes Committed Bytes Bytes Total/Sec
xxxxxxx 3.55555 1003000000000 803000000000 3520600192

basically wat I want to achieve as Memory as in percentage same as CPUtime , I tired using the command syntax eval(Committed Bytes/Available Bytes + Committed Bytes)* 100.

Could you please help on this.

Much appreciate your advise, thanks in advance

Best Regards,
Vick

sundareshr · ‎09-16-2016

Since the field names have a space, you need to put them within quotes. So try this

index=xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec") 
| eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') * 100, 2)
| chart max(Value) as values over host by counter 
| table host "%CPUTime" MemPerc "Bytes Total/Sec"

vickgic · ‎09-16-2016

Thanks for your prompt reply, I tried using the following command syntax

index= xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec") | eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') * 100, 2) | chart max(Value) as values over host by counter | table host,"%CPUTime", MemPerc,"Bytes Total/Sec"

the output it displays as a table is only the host with names, whereas field such as %CPUTime", MemPerc,"Bytes Total/Sec are blank with no values.

Can you please help on this

Thanks
Vick

How to combine three different source types(CPU,Memory, Network Utilization as perecentage) from same index type and get one report

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation