- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: how to plot a time chart with average of some ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to plot a time chart with average of some fields for some devices
Need to plot a time chart of some mac with average of Mem0, Mem1, CPU0, CPU1 and CPU2.
(index=metrics OR index=hc_trials OR index=hc_prod) (HCTELEM OR HCJUNK) uptime>1800
| fields + payload version deviceid mac uptime
| eval payload=replace(payload, "\"\"", "\"")
| spath input=payload output=Mem0 path=Mem{0}
| spath input=payload output=Mem1 path=Mem{1}
| spath input=payload output=CPU0 path=CPU{0}
| spath input=payload output=CPU1 path=CPU{1}
| spath input=payload output=CPU2 path=CPU{2}
| table mac Mem0 Mem1 CPU0 CPU1 CPU2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can change span=whateveryouwant , I have aggregated events to 10minutes
you can't actually plot 3 axis - _time, mac and averages on 2D graphs.
(index=metrics OR index=hc_trials OR index=hc_prod) (HCTELEM OR HCJUNK) uptime>1800
| fields + payload version deviceid mac uptime
| eval payload=replace(payload, "\"\"", "\"")
| spath input=payload output=Mem0 path=Mem{0}
| spath input=payload output=Mem1 path=Mem{1}
| spath input=payload output=CPU0 path=CPU{0}
| spath input=payload output=CPU1 path=CPU{1}
| spath input=payload output=CPU2 path=CPU{2}
| bin _time span=10m
| stats avg(Mem0) as avg_Mem0 avg(Mem1) as avg_Mem1 avg(CPU0) as avg_CPU0 avg(CPU1) as avg_CPU1 avg(CPU2) as avg_CPU2 by _time,mac
If this helps, give a like below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need the average of only these devices 24A7DCFFB120,24A7DCFFB480,24A7DCFFB730,3C8994CCFB80,24A7DCFFBB30,24A7DCFFA150,80721552DB50,3C8994718568,24A7DCFFAB78,3C8994558170,807215405D08,3C8994782528,3C8994667D78,3C8994788B70,3C899467CBC8,3C8994731588,24A7DCFFA650,3C8994763F88,3C8994764D68
can i use a where
| where mac like (24A7DCFFB120,24A7DCFFB480,24A7DCFFB730,3C8994CCFB80,24A7DCFFBB30,24A7DCFFA150,80721552DB50,3C8994718568,24A7DCFFAB78,3C8994558170,807215405D08,3C8994782528,3C8994667D78,3C8994788B70,3C899467CBC8,3C8994731588,24A7DCFFA650,3C8994763F88,3C8994764D68)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually i need the average of (Mem0) ,(Mem1) ,(CPU0) ,(CPU1) &(CPU2) for these 21 devices aggregated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
something like this for all 21 devices aggregated on daily basis.
| _time | avg_Mem0 | avg_Mem1 | avg_CPU0 | avg_CPU1 | avg_CPU2 |
| 01-08-2020 | 28889 | 6777 | 8676 | 9898 | 1232 |
| 02-08-2020 | 28765 | 6875 | 8976 | 9676 | 1342 |
| 03-08-2020 | 26542 | 6543 | 8231 | 9754 | 1423 |
| 04-08-2020 | 26579 | 6231 | 8354 | 9543 | 1876 |
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
