HI, i have event like this
SNo TIme event
1 5/15/17 12:00:00.000 AM servername, nodename ,2017-05-15,00:00,18, 19, 13
2 5/15/17 14:00:00.000 PM servername, nodename ,2017-05-15,00:00,17, 18, 11
Here in 1st one, 18= cpu usage, 19=memory usage,13=disk usage
like this i have 24 hours data.In single event the server name,node name, cpu, memory,disk usage are there with comma separator.
Now my requirement is i want to generate histogram to cpu for only 8:00 AM, 12:00 PM, and 18:00 PM.Like this same for memory usage and disk usage.
Can anyone help me regarding this?
Proper response should be appreciated.
In event logs,Under event section the fileds like this server name, node name, cpu usage, memory usage, disk usage
start with this...
your base search | rex "(AM|PM)\s+(?<SERV>[^,]+),\s+?(?<NODE>[^,]+),\s+?(?<mydate>[^,]+),\s+?(?<mytime>[^,]+),\s+?(?<CPU>\d+),\s+?(?<MEM>\d+),\s+?(?<DISK>\d+)" | bin _time as desired_times span=4h | where _time = desired_times | table _time SERV NODE CPU MEM DISK
...then any one of these...
| timechart max(CPU) as CPU by SERV | timechart max(MEM) as MEM by SERV | timechart max(DISK) as DISK by SERV
| bin _time as will create a new field with the 4-hour increment to compare against.
Try this for the
| rex ".*?(AM|PM)\s+(?<SERV>[^,]+),\s*?(?<NODE>[^,]+),\s*?(?<mydate>[^,]+),\s*?(?<mytime>[^,]+),\s*?(?<CPU>\d+),\s*?(?<MEM>\d+),\s*?(?<DISK>\d+)"
In this how can i provide my timings as 8AM,12PM,18PM..
Can you help on this?
my event has only this " servername, nodename ,2017-05-15,00:00,18, 19, 13".
There is no time AM/PM on my event...
It is working now.But the problem is i am not getting two servers, remaining all servers data am getting. In place of that am getting a new column "OTHERS", which is not exists in my data. Can you tell about this