Monitoring Splunk
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- How to combine three different source types(CPU,Me...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to combine three different source types(CPU,Memory, Network Utilization as perecentage) from same index type and get one report
vickgic
New Member
09-14-2016
11:48 PM
Hi,
I have a problem here, we have three source types named as "CPUtime", "Memory" , "Localnetwork"
CPUtime source types has fields such as object="Processor" counter="% Processor Time" instance="*"
Memory source types has fields such as object="Memory" counter="Committed Bytes"
Local Network source types has fields such as object="Network Interface" counter="Bytes Received/Sec"
Currently I am trying to combine these three source types and calculate avg as percentage put in one report
I have tried almost everything but nothing seems to be working.. Output should be listed host, CPU, Memory,Network in %. Can you please help me with this one?
Thanks
Vick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-15-2016
05:49 AM
Try this
index=xyz (sourcetype=CPUtime OR sourcetype=Memory OR sourcetype=Localnetwork) (counter="% Processor Time" OR counter="Committed Bytes" OR counter="Bytes Received/Sec") | chart avg(Value) as values over host by counter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vickgic
New Member
09-18-2016
07:48 PM
Hi Sundaresh,
Just adding to the above comment I tried using the command eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') 100, 2) |, it shows the value same as like that of the Available Bytes(1342345466) instead of showing in percentage.
Please advise on this also.
Thanks in advance.
Best Regards,
Vick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vickgic
New Member
09-15-2016
11:01 PM
Hi Sundaresh,
Thanks for providing the command, it was really helpful.
I used the following syntax and the sample output as shown below
index=xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec") | chart max(Value) as values over host by counter
Output:
host %CPUTime Available Bytes Committed Bytes Bytes Total/Sec
xxxxxxx 3.55555 1003000000000 803000000000 3520600192
basically wat I want to achieve as Memory as in percentage same as CPUtime , I tired using the command syntax eval(Committed Bytes/Available Bytes + Committed Bytes)* 100.
Could you please help on this.
Much appreciate your advise, thanks in advance
Best Regards,
Vick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-16-2016
05:17 AM
Since the field names have a space, you need to put them within quotes. So try this
index=xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec")
| eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') * 100, 2)
| chart max(Value) as values over host by counter
| table host "%CPUTime" MemPerc "Bytes Total/Sec"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vickgic
New Member
09-16-2016
11:53 PM
Thanks for your prompt reply, I tried using the following command syntax
index= xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec") | eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') * 100, 2) | chart max(Value) as values over host by counter | table host,"%CPUTime", MemPerc,"Bytes Total/Sec"
the output it displays as a table is only the host with names, whereas field such as %CPUTime", MemPerc,"Bytes Total/Sec are blank with no values.
Can you please help on this
Thanks
Vick
Get Updates on the Splunk Community!
Security Professional: Sharpen Your Defenses with These .conf25 Sessions
Sooooooooooo, guess what.
.conf25 is almost here, and if you're on the Security Learning Path, this is your ...
First Steps with Splunk SOAR
Our first step was to gather a list of the playbooks we wanted and to sort them by priority. Once this list ...
How To Build a Self-Service Observability Practice with Splunk Observability Cloud
If you’ve read our previous post on self-service observability, you already know what it is and why it ...
