Monitoring Splunk

how to get the particluar hour cpu,memory,and disk usage using splunk?

prathapkcsc
Explorer

HI, i have event like this
SNo TIme event
1 5/15/17 12:00:00.000 AM servername, nodename ,2017-05-15,00:00,18, 19, 13

2 5/15/17 14:00:00.000 PM servername, nodename ,2017-05-15,00:00,17, 18, 11

Here in 1st one, 18= cpu usage, 19=memory usage,13=disk usage
like this i have 24 hours data.In single event the server name,node name, cpu, memory,disk usage are there with comma separator.
Now my requirement is i want to generate histogram to cpu for only 8:00 AM, 12:00 PM, and 18:00 PM.Like this same for memory usage and disk usage.
Can anyone help me regarding this?
Thank you.
Proper response should be appreciated.

NOte:
In event logs,Under event section the fileds like this server name, node name, cpu usage, memory usage, disk usage

0 Karma
1 Solution

DalJeanis
Legend

start with this...

your base search
| rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK

...then any one of these...

| timechart max(CPU) as CPU by SERV 
| timechart max(MEM) as MEM by SERV 
| timechart max(DISK) as DISK by SERV 

The | bin _time as will create a new field with the 4-hour increment to compare against.

View solution in original post

0 Karma

DalJeanis
Legend

start with this...

your base search
| rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK

...then any one of these...

| timechart max(CPU) as CPU by SERV 
| timechart max(MEM) as MEM by SERV 
| timechart max(DISK) as DISK by SERV 

The | bin _time as will create a new field with the 4-hour increment to compare against.

0 Karma

prathapkcsc
Explorer

I am getting only server names. data not coming into remaining fields .

0 Karma

DalJeanis
Legend

Try this for the rex....

 | rex ".*?(AM|PM)\s+(?<SERV>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<mydate>[^,]+),\s*?(?<mytime>[^,]+),\s*?(?<CPU>\d+),\s*?(?<MEM>\d+),\s*?(?<DISK>\d+)"
0 Karma

prathapkcsc
Explorer

It is working now.But the problem is i am not getting two servers, remaining all servers data am getting. In place of that am getting a new column "OTHERS", which is not exists in my data. Can you tell about this
?

0 Karma

prathapkcsc
Explorer

my event has only this " servername, nodename ,2017-05-15,00:00,18, 19, 13".
There is no time AM/PM on my event...

0 Karma

prathapkcsc
Explorer

Where _time=desired_times..
In this how can i provide my timings as 8AM,12PM,18PM..
Can you help on this?

0 Karma

prathapkcsc
Explorer

The above command not giving any results.

0 Karma

prathapkcsc
Explorer

how to give the 8:00 AM as my time in the where _time clause

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...