- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on the last row which is "Average", check the values of avg_cpu_utilization and avg_mem_usage and where ever the difference is more then 3 change it's colour or mark it in bold.
cluster_name | hypervisor_name | avg_cpu_utilization | avg_mem_usage | max_cpu_readiness | max_cpu_utilization | max_mem_usage |
Cluster | Host1 | 8.2 | 29.62 | 0.18 | 17.65 | 29.63 |
Cluster | Host2 | 5.5 | 26.41 | 0.08 | 14.31 | 26.42 |
Cluster | Host3 | 1.7 | 30.51 | 0.01 | 3.48 | 30.52 |
Average | 3.98 | 29.61 | 0.07 | 9.39 | 29.62 |
For Example-
if we see avg_cpu_utilization field it's average is 3.98, so it should check all the values in that column (8.2,5.5,1.7) and where ever average difference is more then 3 mark it in bold, so in this case if we compare 3.98 value with other 3 values then for Host1 it is 8.2, which should be marked in bold or colour should be changed for it.
Output should be below-
cluster_name | hypervisor_name | avg_cpu_utilization | avg_mem_usage | max_cpu_readiness | max_cpu_utilization | max_mem_usage |
Cluster | Host1 | 8.2 | 29.62 | 0.18 | 17.65 | 29.63 |
Cluster | Host2 | 5.5 | 26.41 | 0.08 | 14.31 | 26.42 |
Cluster | Host3 | 1.7 | 30.51 | 0.01 | 3.48 | 30.52 |
Average | 3.98 | 29.61 | 0.07 | 9.39 | 29.62 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="cluster_name hypervisor_name avg_cpu_utilization avg_mem_usage max_cpu_readiness max_cpu_utilization max_mem_usage
Cluster Host1 8.2 29.62 0.18 17.65 29.63
Cluster Host2 5.5 26.41 0.08 14.31 26.42
Cluster Host3 1.7 30.51 0.01 3.48 30.52"
| multikv forceheader=1
| table cluster_name hypervisor_name avg_cpu_utilization avg_mem_usage max_cpu_readiness max_cpu_utilization max_mem_usage
| eventstats avg(avg_cpu_utilization) as avg_avg_cpu_utilization avg(avg_mem_usage) as avg_avg_mem_usage avg(max_cpu_readiness) as avg_max_cpu_readiness avg(max_cpu_utilization) as avg_max_cpu_utilization avg(max_mem_usage) as avg_max_mem_usage
| appendpipe [stats avg(avg_cpu_utilization) as avg_cpu_utilization avg(avg_mem_usage) as avg_mem_usage avg(max_cpu_readiness) as max_cpu_readiness avg(max_cpu_utilization) as max_cpu_utilization avg(max_mem_usage) as max_mem_usage]
| eval avg_cpu_utilization=if(abs(avg_cpu_utilization-avg_avg_cpu_utilization)>3,mvappend(avg_cpu_utilization,"RED"),avg_cpu_utilization)
| eval avg_mem_usage=if(abs(avg_mem_usage-avg_avg_mem_usage)>3,mvappend(avg_mem_usage,"RED"),avg_mem_usage)
| eval max_cpu_readiness=if(abs(max_cpu_readiness-avg_max_cpu_readiness)>3,mvappend(max_cpu_readiness,"RED"),max_cpu_readiness)
| eval max_cpu_utilization=if(abs(max_cpu_utilization-avg_max_cpu_utilization)>3,mvappend(max_cpu_utilization,"RED"),max_cpu_utilization)
| eval max_mem_usage=if(abs(max_mem_usage-avg_max_mem_usage)>3,mvappend(max_mem_usage,"RED"),max_mem_usage)
| fields - avg_avg_cpu_utilization avg_avg_mem_usage avg_max_cpu_readiness avg_max_cpu_utilization avg_max_mem_usage
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @ITWhisperer - It worked as required
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer - Through the stats command
appendpipe [stats avg(avg_mem_usage) as avg_mem_usage]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="cluster_name hypervisor_name avg_cpu_utilization avg_mem_usage max_cpu_readiness max_cpu_utilization max_mem_usage
Cluster Host1 8.2 29.62 0.18 17.65 29.63
Cluster Host2 5.5 26.41 0.08 14.31 26.42
Cluster Host3 1.7 30.51 0.01 3.48 30.52"
| multikv forceheader=1
| table cluster_name hypervisor_name avg_cpu_utilization avg_mem_usage max_cpu_readiness max_cpu_utilization max_mem_usage
| eventstats avg(avg_cpu_utilization) as avg_avg_cpu_utilization avg(avg_mem_usage) as avg_avg_mem_usage avg(max_cpu_readiness) as avg_max_cpu_readiness avg(max_cpu_utilization) as avg_max_cpu_utilization avg(max_mem_usage) as avg_max_mem_usage
| appendpipe [stats avg(avg_cpu_utilization) as avg_cpu_utilization avg(avg_mem_usage) as avg_mem_usage avg(max_cpu_readiness) as max_cpu_readiness avg(max_cpu_utilization) as max_cpu_utilization avg(max_mem_usage) as max_mem_usage]
| eval avg_cpu_utilization=if(abs(avg_cpu_utilization-avg_avg_cpu_utilization)>3,mvappend(avg_cpu_utilization,"RED"),avg_cpu_utilization)
| eval avg_mem_usage=if(abs(avg_mem_usage-avg_avg_mem_usage)>3,mvappend(avg_mem_usage,"RED"),avg_mem_usage)
| eval max_cpu_readiness=if(abs(max_cpu_readiness-avg_max_cpu_readiness)>3,mvappend(max_cpu_readiness,"RED"),max_cpu_readiness)
| eval max_cpu_utilization=if(abs(max_cpu_utilization-avg_max_cpu_utilization)>3,mvappend(max_cpu_utilization,"RED"),max_cpu_utilization)
| eval max_mem_usage=if(abs(max_mem_usage-avg_max_mem_usage)>3,mvappend(max_mem_usage,"RED"),max_mem_usage)
| fields - avg_avg_cpu_utilization avg_avg_mem_usage avg_max_cpu_readiness avg_max_cpu_utilization avg_max_mem_usage
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @ITWhisperer -But how do i match the average value with other values in the column?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you create the average in the first place?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Classic dashboards, you can colour the cell in the table based on the value in the field. In your case, you should make the cells multi-value, with the second value being set when you want the colour to change. You then use CSS to hide the second value.
See this solution https://community.splunk.com/t5/Splunk-Search/How-to-change-table-cell-background-color-depends-on-s...