Monitoring Splunk

how to get the particluar hour cpu,memory,and disk usage using splunk?

prathapkcsc
Explorer

HI, i have event like this
SNo TIme event
1 5/15/17 12:00:00.000 AM servername, nodename ,2017-05-15,00:00,18, 19, 13

2 5/15/17 14:00:00.000 PM servername, nodename ,2017-05-15,00:00,17, 18, 11

Here in 1st one, 18= cpu usage, 19=memory usage,13=disk usage
like this i have 24 hours data.In single event the server name,node name, cpu, memory,disk usage are there with comma separator.
Now my requirement is i want to generate histogram to cpu for only 8:00 AM, 12:00 PM, and 18:00 PM.Like this same for memory usage and disk usage.
Can anyone help me regarding this?
Thank you.
Proper response should be appreciated.

NOte:
In event logs,Under event section the fileds like this server name, node name, cpu usage, memory usage, disk usage

0 Karma
1 Solution

DalJeanis
Legend

start with this...

your base search
| rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK

...then any one of these...

| timechart max(CPU) as CPU by SERV 
| timechart max(MEM) as MEM by SERV 
| timechart max(DISK) as DISK by SERV 

The | bin _time as will create a new field with the 4-hour increment to compare against.

View solution in original post

0 Karma

DalJeanis
Legend

start with this...

your base search
| rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK

...then any one of these...

| timechart max(CPU) as CPU by SERV 
| timechart max(MEM) as MEM by SERV 
| timechart max(DISK) as DISK by SERV 

The | bin _time as will create a new field with the 4-hour increment to compare against.

0 Karma

prathapkcsc
Explorer

I am getting only server names. data not coming into remaining fields .

0 Karma

DalJeanis
Legend

Try this for the rex....

 | rex ".*?(AM|PM)\s+(?<SERV>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<mydate>[^,]+),\s*?(?<mytime>[^,]+),\s*?(?<CPU>\d+),\s*?(?<MEM>\d+),\s*?(?<DISK>\d+)"
0 Karma

prathapkcsc
Explorer

It is working now.But the problem is i am not getting two servers, remaining all servers data am getting. In place of that am getting a new column "OTHERS", which is not exists in my data. Can you tell about this
?

0 Karma

prathapkcsc
Explorer

my event has only this " servername, nodename ,2017-05-15,00:00,18, 19, 13".
There is no time AM/PM on my event...

0 Karma

prathapkcsc
Explorer

Where _time=desired_times..
In this how can i provide my timings as 8AM,12PM,18PM..
Can you help on this?

0 Karma

prathapkcsc
Explorer

The above command not giving any results.

0 Karma

prathapkcsc
Explorer

how to give the 8:00 AM as my time in the where _time clause

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...