Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

How to combine three different source types(CPU,Memory, Network Utilization as perecentage) from same index type and get one report

vickgic
New Member
‎09-14-2016 11:48 PM

Hi,

I have a problem here, we have three source types named as "CPUtime", "Memory" , "Localnetwork"
CPUtime source types has fields such as object="Processor" counter="% Processor Time" instance="*"
Memory source types has fields such as object="Memory" counter="Committed Bytes"
Local Network source types has fields such as object="Network Interface" counter="Bytes Received/Sec"

Currently I am trying to combine these three source types and calculate avg as percentage put in one report

I have tried almost everything but nothing seems to be working.. Output should be listed host, CPU, Memory,Network in %. Can you please help me with this one?

Thanks
Vick

0 Karma
Reply
Highlighted

Re: How to combine three different source types(CPU,Memory, Network Utilization as perecentage) from same index type and get one report

sundareshr
Legend
‎09-15-2016 05:49 AM

Try this

index=xyz (sourcetype=CPUtime OR sourcetype=Memory OR sourcetype=Localnetwork)  (counter="% Processor Time" OR counter="Committed Bytes" OR counter="Bytes Received/Sec") | chart  avg(Value) as values over host by counter
0 Karma
Reply
Highlighted

Re: How to combine three different source types(CPU,Memory, Network Utilization as perecentage) from same index type and get one report

vickgic
New Member
‎09-15-2016 11:01 PM

Hi Sundaresh,

Thanks for providing the command, it was really helpful.

I used the following syntax and the sample output as shown below

index=xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec") | chart max(Value) as values over host by counter

Output:
host %CPUTime Available Bytes Committed Bytes Bytes Total/Sec
xxxxxxx 3.55555 1003000000000 803000000000 3520600192

basically wat I want to achieve as Memory as in percentage same as CPUtime , I tired using the command syntax eval(Committed Bytes/Available Bytes + Committed Bytes)* 100.

Could you please help on this.

Much appreciate your advise, thanks in advance

Best Regards,
Vick

0 Karma
Reply
Highlighted

Re: How to combine three different source types(CPU,Memory, Network Utilization as perecentage) from same index type and get one report

sundareshr
Legend
‎09-16-2016 05:17 AM

Since the field names have a space, you need to put them within quotes. So try this

index=xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec") 
| eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') * 100, 2)
| chart max(Value) as values over host by counter 
| table host "%CPUTime" MemPerc "Bytes Total/Sec"
0 Karma
Reply
Highlighted

Re: How to combine three different source types(CPU,Memory, Network Utilization as perecentage) from same index type and get one report

vickgic
New Member
‎09-16-2016 11:53 PM

Thanks for your prompt reply, I tried using the following command syntax

index= xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec") | eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') * 100, 2) | chart max(Value) as values over host by counter | table host,"%CPUTime", MemPerc,"Bytes Total/Sec"

the output it displays as a table is only the host with names, whereas field such as %CPUTime", MemPerc,"Bytes Total/Sec are blank with no values.

Can you please help on this

Thanks
Vick

0 Karma
Reply
Highlighted

Re: How to combine three different source types(CPU,Memory, Network Utilization as perecentage) from same index type and get one report

vickgic
New Member
‎09-18-2016 07:48 PM

Hi Sundaresh,

Just adding to the above comment I tried using the command eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') 100, 2) |, it shows the value same as like that of the Available Bytes(1342345466) instead of showing in percentage.

Please advise on this also.

Thanks in advance.

Best Regards,
Vick

0 Karma
Reply