Reporting by parsing entries in fields

er1kr1984 · ‎06-04-2013

Hi All

i am new to Splunk and hope this is not to much of a stupid question.

i am looking to create a report in the form of a line graph that shows the following values CPU values by time on the Y axis and cpu usage on the X axis

2013-06-04 14:01:48,192 INFO [] [6_ResourceMonitor] Total CPU usage per CPU: 0=65.17%
2013-06-04 14:01:48,192 INFO [] [6_ResourceMonitor] Total CPU usage per CPU: 0=62.09%
2013-06-04 14:01:48,192 INFO [] [6_ResourceMonitor] Total CPU usage per CPU: 0=60.17%
2013-06-04 14:01:48,192 INFO [] [6_ResourceMonitor] Total CPU usage per CPU: 0=59.12%
2013-06-04 14:01:48,192 INFO [] [6_ResourceMonitor] Total CPU usage per CPU: 0=59.09%

i have tried several different things but stuck at the moment any help would be fantastic

gfuente · ‎06-04-2013

Hello,

First of all, you´ll need to extract the values you want to chart in a new field with the rex command:

...| rex "CPU:\s0=(?< cpu_values >\d+\.\d+)" | ...

*without the spaces before and after the cpu_values

Then you need to use time chart, you´ll search would look something similar to:

sourcetype="mysourcetype" | rex "CPU:\s0=(?< cpu_values >\d+\.\d+)" | timechart avg(cpu_values)

Regards

Reporting by parsing entries in fields

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Are you a member of the Splunk Community?

Reporting by parsing entries in fields

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!