Monitoring Splunk

how to get the particluar hour cpu,memory,and disk usage using splunk?

prathapkcsc
Explorer

HI, i have event like this
SNo TIme event
1 5/15/17 12:00:00.000 AM servername, nodename ,2017-05-15,00:00,18, 19, 13

2 5/15/17 14:00:00.000 PM servername, nodename ,2017-05-15,00:00,17, 18, 11

Here in 1st one, 18= cpu usage, 19=memory usage,13=disk usage
like this i have 24 hours data.In single event the server name,node name, cpu, memory,disk usage are there with comma separator.
Now my requirement is i want to generate histogram to cpu for only 8:00 AM, 12:00 PM, and 18:00 PM.Like this same for memory usage and disk usage.
Can anyone help me regarding this?
Thank you.
Proper response should be appreciated.

NOte:
In event logs,Under event section the fileds like this server name, node name, cpu usage, memory usage, disk usage

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

start with this...

your base search
| rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK

...then any one of these...

| timechart max(CPU) as CPU by SERV 
| timechart max(MEM) as MEM by SERV 
| timechart max(DISK) as DISK by SERV 

The | bin _time as will create a new field with the 4-hour increment to compare against.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

start with this...

your base search
| rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)"
| bin _time as desired_times span=4h
| where _time = desired_times
| table _time SERV NODE CPU MEM DISK

...then any one of these...

| timechart max(CPU) as CPU by SERV 
| timechart max(MEM) as MEM by SERV 
| timechart max(DISK) as DISK by SERV 

The | bin _time as will create a new field with the 4-hour increment to compare against.

0 Karma

prathapkcsc
Explorer

I am getting only server names. data not coming into remaining fields .

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Try this for the rex....

 | rex ".*?(AM|PM)\s+(?<SERV>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<mydate>[^,]+),\s*?(?<mytime>[^,]+),\s*?(?<CPU>\d+),\s*?(?<MEM>\d+),\s*?(?<DISK>\d+)"
0 Karma

prathapkcsc
Explorer

It is working now.But the problem is i am not getting two servers, remaining all servers data am getting. In place of that am getting a new column "OTHERS", which is not exists in my data. Can you tell about this
?

0 Karma

prathapkcsc
Explorer

my event has only this " servername, nodename ,2017-05-15,00:00,18, 19, 13".
There is no time AM/PM on my event...

0 Karma

prathapkcsc
Explorer

Where _time=desired_times..
In this how can i provide my timings as 8AM,12PM,18PM..
Can you help on this?

0 Karma

prathapkcsc
Explorer

The above command not giving any results.

0 Karma

prathapkcsc
Explorer

how to give the 8:00 AM as my time in the where _time clause

0 Karma
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...