Solved: Re: Based on last row how to match values of all t...

ashish_khantwal · ‎07-04-2022

Based on the last row which is "Average", check the values of avg_cpu_utilization and avg_mem_usage and where ever the difference is more then 3 change it's colour or mark it in bold.

cluster_name	hypervisor_name	avg_cpu_utilization	avg_mem_usage	max_cpu_readiness	max_cpu_utilization	max_mem_usage
Cluster	Host1	8.2	29.62	0.18	17.65	29.63
Cluster	Host2	5.5	26.41	0.08	14.31	26.42
Cluster	Host3	1.7	30.51	0.01	3.48	30.52
Average		3.98	29.61	0.07	9.39	29.62

For Example-
if we see avg_cpu_utilization field it's average is 3.98, so it should check all the values in that column (8.2,5.5,1.7) and where ever average difference is more then 3 mark it in bold, so in this case if we compare 3.98 value with other 3 values then for Host1 it is 8.2, which should be marked in bold or colour should be changed for it.
Output should be below-

cluster_name	hypervisor_name	avg_cpu_utilization	avg_mem_usage	max_cpu_readiness	max_cpu_utilization	max_mem_usage
Cluster	Host1	8.2	29.62	0.18	17.65	29.63
Cluster	Host2	5.5	26.41	0.08	14.31	26.42
Cluster	Host3	1.7	30.51	0.01	3.48	30.52
Average		3.98	29.61	0.07	9.39	29.62

ITWhisperer · ‎07-05-2022

| makeresults
| eval _raw="cluster_name	hypervisor_name	avg_cpu_utilization	avg_mem_usage	max_cpu_readiness	max_cpu_utilization	max_mem_usage
Cluster	Host1	8.2	29.62	0.18	17.65	29.63
Cluster	Host2	5.5	26.41	0.08	14.31	26.42
Cluster	Host3	1.7	30.51	0.01	3.48	30.52"
| multikv forceheader=1
| table cluster_name	hypervisor_name	avg_cpu_utilization	avg_mem_usage	max_cpu_readiness	max_cpu_utilization	max_mem_usage
| eventstats avg(avg_cpu_utilization) as avg_avg_cpu_utilization avg(avg_mem_usage) as avg_avg_mem_usage avg(max_cpu_readiness) as avg_max_cpu_readiness avg(max_cpu_utilization) as avg_max_cpu_utilization avg(max_mem_usage) as avg_max_mem_usage
| appendpipe [stats avg(avg_cpu_utilization) as avg_cpu_utilization avg(avg_mem_usage) as avg_mem_usage avg(max_cpu_readiness) as max_cpu_readiness avg(max_cpu_utilization) as max_cpu_utilization avg(max_mem_usage) as max_mem_usage]
| eval avg_cpu_utilization=if(abs(avg_cpu_utilization-avg_avg_cpu_utilization)>3,mvappend(avg_cpu_utilization,"RED"),avg_cpu_utilization)
| eval avg_mem_usage=if(abs(avg_mem_usage-avg_avg_mem_usage)>3,mvappend(avg_mem_usage,"RED"),avg_mem_usage)
| eval max_cpu_readiness=if(abs(max_cpu_readiness-avg_max_cpu_readiness)>3,mvappend(max_cpu_readiness,"RED"),max_cpu_readiness)
| eval max_cpu_utilization=if(abs(max_cpu_utilization-avg_max_cpu_utilization)>3,mvappend(max_cpu_utilization,"RED"),max_cpu_utilization)
| eval max_mem_usage=if(abs(max_mem_usage-avg_max_mem_usage)>3,mvappend(max_mem_usage,"RED"),max_mem_usage)
| fields - avg_avg_cpu_utilization avg_avg_mem_usage avg_max_cpu_readiness avg_max_cpu_utilization avg_max_mem_usage

View solution in original post

ashish_khantwal · ‎07-05-2022

Thanks @ITWhisperer - It worked as required

ashish_khantwal · ‎07-05-2022

@ITWhisperer - Through the stats command

appendpipe [stats avg(avg_mem_usage) as avg_mem_usage]

ITWhisperer · ‎07-05-2022

| makeresults
| eval _raw="cluster_name	hypervisor_name	avg_cpu_utilization	avg_mem_usage	max_cpu_readiness	max_cpu_utilization	max_mem_usage
Cluster	Host1	8.2	29.62	0.18	17.65	29.63
Cluster	Host2	5.5	26.41	0.08	14.31	26.42
Cluster	Host3	1.7	30.51	0.01	3.48	30.52"
| multikv forceheader=1
| table cluster_name	hypervisor_name	avg_cpu_utilization	avg_mem_usage	max_cpu_readiness	max_cpu_utilization	max_mem_usage
| eventstats avg(avg_cpu_utilization) as avg_avg_cpu_utilization avg(avg_mem_usage) as avg_avg_mem_usage avg(max_cpu_readiness) as avg_max_cpu_readiness avg(max_cpu_utilization) as avg_max_cpu_utilization avg(max_mem_usage) as avg_max_mem_usage
| appendpipe [stats avg(avg_cpu_utilization) as avg_cpu_utilization avg(avg_mem_usage) as avg_mem_usage avg(max_cpu_readiness) as max_cpu_readiness avg(max_cpu_utilization) as max_cpu_utilization avg(max_mem_usage) as max_mem_usage]
| eval avg_cpu_utilization=if(abs(avg_cpu_utilization-avg_avg_cpu_utilization)>3,mvappend(avg_cpu_utilization,"RED"),avg_cpu_utilization)
| eval avg_mem_usage=if(abs(avg_mem_usage-avg_avg_mem_usage)>3,mvappend(avg_mem_usage,"RED"),avg_mem_usage)
| eval max_cpu_readiness=if(abs(max_cpu_readiness-avg_max_cpu_readiness)>3,mvappend(max_cpu_readiness,"RED"),max_cpu_readiness)
| eval max_cpu_utilization=if(abs(max_cpu_utilization-avg_max_cpu_utilization)>3,mvappend(max_cpu_utilization,"RED"),max_cpu_utilization)
| eval max_mem_usage=if(abs(max_mem_usage-avg_max_mem_usage)>3,mvappend(max_mem_usage,"RED"),max_mem_usage)
| fields - avg_avg_cpu_utilization avg_avg_mem_usage avg_max_cpu_readiness avg_max_cpu_utilization avg_max_mem_usage

ashish_khantwal · ‎07-05-2022

Thanks @ITWhisperer -But how do i match the average value with other values in the column?

ITWhisperer · ‎07-05-2022

How did you create the average in the first place?

ITWhisperer · ‎07-04-2022

Using Classic dashboards, you can colour the cell in the table based on the value in the field. In your case, you should make the cells multi-value, with the second value being set when you want the colour to change. You then use CSS to hide the second value.

See this solution https://community.splunk.com/t5/Splunk-Search/How-to-change-table-cell-background-color-depends-on-s...

How to match values of all the columns based on the last row?

using Splunk Enterprise

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector