HI, i have event like this
SNo TIme event
1 5/15/17 12:00:00.000 AM servername, nodename ,2017-05-15,00:00,18, 19, 13
2 5/15/17 14:00:00.000 PM servername, nodename ,2017-05-15,00:00,17, 18, 11
Here in 1st one, 18= cpu usage, 19=memory usage,13=disk usage
like this i have 24 hours data.In single event the server name,node name, cpu, memory,disk usage are there with comma separator.
Now my requirement is i want to generate histogram to cpu for only 8:00 AM, 12:00 PM, and 18:00 PM.Like this same for memory usage and disk usage.
Can anyone help me regarding this?
Thank you.
Proper response should be appreciated.
NOte:
In event logs,Under event section the fileds like this server name, node name, cpu usage, memory usage, disk usage
start with this...
your base search
| rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK
...then any one of these...
| timechart max(CPU) as CPU by SERV
| timechart max(MEM) as MEM by SERV
| timechart max(DISK) as DISK by SERV
The | bin _time as
will create a new field with the 4-hour increment to compare against.
start with this...
your base search
| rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK
...then any one of these...
| timechart max(CPU) as CPU by SERV
| timechart max(MEM) as MEM by SERV
| timechart max(DISK) as DISK by SERV
The | bin _time as
will create a new field with the 4-hour increment to compare against.
I am getting only server names. data not coming into remaining fields .
Try this for the rex
....
| rex ".*?(AM|PM)\s+(?<SERV>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<mydate>[^,]+),\s*?(?<mytime>[^,]+),\s*?(?<CPU>\d+),\s*?(?<MEM>\d+),\s*?(?<DISK>\d+)"
It is working now.But the problem is i am not getting two servers, remaining all servers data am getting. In place of that am getting a new column "OTHERS", which is not exists in my data. Can you tell about this
?
my event has only this " servername, nodename ,2017-05-15,00:00,18, 19, 13".
There is no time AM/PM on my event...
Where _time=desired_times..
In this how can i provide my timings as 8AM,12PM,18PM..
Can you help on this?
The above command not giving any results.
how to give the 8:00 AM as my time in the where _time clause