Solved: how to get the particluar hour cpu,memory,and disk...

prathapkcsc · ‎05-17-2017

HI, i have event like this
SNo TIme event
1 5/15/17 12:00:00.000 AM servername, nodename ,2017-05-15,00:00,18, 19, 13

2 5/15/17 14:00:00.000 PM servername, nodename ,2017-05-15,00:00,17, 18, 11

Here in 1st one, 18= cpu usage, 19=memory usage,13=disk usage
like this i have 24 hours data.In single event the server name,node name, cpu, memory,disk usage are there with comma separator.
Now my requirement is i want to generate histogram to cpu for only 8:00 AM, 12:00 PM, and 18:00 PM.Like this same for memory usage and disk usage.
Can anyone help me regarding this?
Thank you.
Proper response should be appreciated.

NOte:
In event logs,Under event section the fileds like this server name, node name, cpu usage, memory usage, disk usage

DalJeanis · ‎05-18-2017

start with this...

your base search
| rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK

...then any one of these...

| timechart max(CPU) as CPU by SERV 
| timechart max(MEM) as MEM by SERV 
| timechart max(DISK) as DISK by SERV

The | bin _time as will create a new field with the 4-hour increment to compare against.

View solution in original post

DalJeanis · ‎05-18-2017

start with this...

your base search
| rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK

...then any one of these...

| timechart max(CPU) as CPU by SERV 
| timechart max(MEM) as MEM by SERV 
| timechart max(DISK) as DISK by SERV

The | bin _time as will create a new field with the 4-hour increment to compare against.

prathapkcsc · ‎05-19-2017

I am getting only server names. data not coming into remaining fields .

DalJeanis · ‎05-22-2017

Try this for the rex....

 | rex ".*?(AM|PM)\s+(?<SERV>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<mydate>[^,]+),\s*?(?<mytime>[^,]+),\s*?(?<CPU>\d+),\s*?(?<MEM>\d+),\s*?(?<DISK>\d+)"

prathapkcsc · ‎05-23-2017

It is working now.But the problem is i am not getting two servers, remaining all servers data am getting. In place of that am getting a new column "OTHERS", which is not exists in my data. Can you tell about this
?

prathapkcsc · ‎05-22-2017

my event has only this " servername, nodename ,2017-05-15,00:00,18, 19, 13".
There is no time AM/PM on my event...

prathapkcsc · ‎05-22-2017

Where _time=desired_times..
In this how can i provide my timings as 8AM,12PM,18PM..
Can you help on this?

prathapkcsc · ‎05-18-2017

The above command not giving any results.

prathapkcsc · ‎05-18-2017

how to give the 8:00 AM as my time in the where _time clause

how to get the particluar hour cpu,memory,and disk usage using splunk?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life