Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting multiple entries for a single workload.....

chinmay25
Path Finder
‎07-01-2020 11:17 PM

Hello everyone.....I have been trying to get CPU time for different workloads. However, for some workloads I am getting multiple entries of CPU Time.....how do i avoid getting multiple entries?

Please see the query I am working on below...

| fields SMF30JBN DATETIME SMF30CPT
| eval Job_Name=SMF30JBN, Date = substr(DATETIME,1,10)
| eval WORKLOAD = substr(Job_Name,1,3)
| eval CP_Time=SMF30CPT
| eval cpu_time=strptime(SMF30CPT,"%H:%M:%S.%2N")
| eval base=strptime("00:00:00.00","%H:%M:%S.%2N")
| eval ctime=cpu_time-base
| eval ctime=round(ctime, 2)
| stats values(ctime) as CPU_TIME by WORKLOAD Date

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-01-2020 11:58 PM

@chinmay25,

Usually its because of the multi processor systems where you have two or more CPUs . If that's the case, it's a sum of all CPU time taken up by that workload. 

There are other possibilities that the workload has multiple executions per day and/or you are receiving duplicate events etc. Look at your raw events and based on the final requirement, we can fine tune

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-01-2020 11:58 PM

@chinmay25,

Usually its because of the multi processor systems where you have two or more CPUs . If that's the case, it's a sum of all CPU time taken up by that workload. 

There are other possibilities that the workload has multiple executions per day and/or you are receiving duplicate events etc. Look at your raw events and based on the final requirement, we can fine tune

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

chinmay25
Path Finder
‎07-02-2020 12:34 PM

I was able to get the average CPU time. However, I am getting a result as below.

WorkloadCPU_TIMEAVG_TIME
PART A3.5 
PART B2485.4 
AVG_TIME 226.26

 

I want to get the avg time value under the same column as the CPU_TIME.

here is the query that I have

| fields SMF30JBN DATETIME SMF30CPT
| eval Job_Name=SMF30JBN, Date = substr(DATETIME,1,10)
| eval WORKLOAD = substr(Job_Name,1,3)
| eval CP_Time=SMF30CPT
| eval cpu_time=strptime(SMF30CPT,"%H:%M:%S.%2N")
| eval base=strptime("00:00:00.00","%H:%M:%S.%2N")
| eval ctime=cpu_time-base
| eval ctime=round(ctime, 2)
| stats sum(ctime) as CPU_TIME by WORKLOAD
| eval SYST = substr(WORKLOAD,1,1)
| eval TYPE = case(SYST = "F", "PART A PROD",SYST = "M", "PART B PROD")
| appendpipe
[| stats sum(CPU_TIME) as CPU_TIME by TYPE
| eval WORKLOAD="".TYPE." CPU_TIME"]
| fields WORKLOAD CPU_TIME
| append
[search index=cds_ffs_smf030 SMFID=EDCA sourcetype=syncsort:smf030 SMF30STP=5
| fields SMF30JBN DATETIME SMF30CPT
| eval Job_Name=SMF30JBN, Date = substr(DATETIME,1,10)
| eval WORKLOAD = substr(Job_Name,1,3)
| eval CP_Time=SMF30CPT
| eval cpu_time=strptime(SMF30CPT,"%H:%M:%S.%2N")
| eval base=strptime("00:00:00.00","%H:%M:%S.%2N")
| eval ctime=cpu_time-base
| eval ctime=round(ctime, 2)
| stats sum(ctime) as CPU_TIME by WORKLOAD
| stats avg(CPU_TIME) as AVG_TIME
| eval AVG_TIME = round(AVG_TIME, 2)
| eval WORKLOAD="AVG_TIME"]

Tags (1)
0 Karma
Reply
Solved! Jump to solution

chinmay25
Path Finder
‎07-02-2020 11:54 AM

The sum helped.

I have calculated the total CPU time for the different workloads. Need to get the average CPU time as well.

Any suggestions?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...