Splunk Enterprise

How to match values of all the columns based on the last row?

ashish_khantwal
Engager

Based on the last row which is "Average", check the values of avg_cpu_utilization and avg_mem_usage and where ever the difference is more then 3 change it's colour or mark it in bold.

cluster_name hypervisor_name avg_cpu_utilization avg_mem_usage max_cpu_readiness max_cpu_utilization max_mem_usage
Cluster Host1 8.2 29.62 0.18 17.65 29.63
Cluster Host2 5.5 26.41 0.08 14.31 26.42
Cluster Host3 1.7 30.51 0.01 3.48 30.52
Average   3.98 29.61 0.07 9.39 29.62

 

For Example-
if we see avg_cpu_utilization field it's average is 3.98, so it should check all the values in that column (8.2,5.5,1.7) and where ever average difference is more then 3 mark it in bold, so in this case if we compare 3.98 value with other 3 values then for Host1 it is 8.2, which should be marked in bold or colour should be changed for it.
Output should be below-

cluster_name hypervisor_name avg_cpu_utilization avg_mem_usage max_cpu_readiness max_cpu_utilization max_mem_usage
Cluster Host1 8.2 29.62 0.18 17.65 29.63
Cluster Host2 5.5 26.41 0.08 14.31 26.42
Cluster Host3 1.7 30.51 0.01 3.48 30.52
Average   3.98 29.61 0.07 9.39 29.62
Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="cluster_name	hypervisor_name	avg_cpu_utilization	avg_mem_usage	max_cpu_readiness	max_cpu_utilization	max_mem_usage
Cluster	Host1	8.2	29.62	0.18	17.65	29.63
Cluster	Host2	5.5	26.41	0.08	14.31	26.42
Cluster	Host3	1.7	30.51	0.01	3.48	30.52"
| multikv forceheader=1
| table cluster_name	hypervisor_name	avg_cpu_utilization	avg_mem_usage	max_cpu_readiness	max_cpu_utilization	max_mem_usage
| eventstats avg(avg_cpu_utilization) as avg_avg_cpu_utilization avg(avg_mem_usage) as avg_avg_mem_usage avg(max_cpu_readiness) as avg_max_cpu_readiness avg(max_cpu_utilization) as avg_max_cpu_utilization avg(max_mem_usage) as avg_max_mem_usage
| appendpipe [stats avg(avg_cpu_utilization) as avg_cpu_utilization avg(avg_mem_usage) as avg_mem_usage avg(max_cpu_readiness) as max_cpu_readiness avg(max_cpu_utilization) as max_cpu_utilization avg(max_mem_usage) as max_mem_usage]
| eval avg_cpu_utilization=if(abs(avg_cpu_utilization-avg_avg_cpu_utilization)>3,mvappend(avg_cpu_utilization,"RED"),avg_cpu_utilization)
| eval avg_mem_usage=if(abs(avg_mem_usage-avg_avg_mem_usage)>3,mvappend(avg_mem_usage,"RED"),avg_mem_usage)
| eval max_cpu_readiness=if(abs(max_cpu_readiness-avg_max_cpu_readiness)>3,mvappend(max_cpu_readiness,"RED"),max_cpu_readiness)
| eval max_cpu_utilization=if(abs(max_cpu_utilization-avg_max_cpu_utilization)>3,mvappend(max_cpu_utilization,"RED"),max_cpu_utilization)
| eval max_mem_usage=if(abs(max_mem_usage-avg_max_mem_usage)>3,mvappend(max_mem_usage,"RED"),max_mem_usage)
| fields - avg_avg_cpu_utilization avg_avg_mem_usage avg_max_cpu_readiness avg_max_cpu_utilization avg_max_mem_usage

View solution in original post

0 Karma

ashish_khantwal
Engager

Thanks @ITWhisperer - It worked as required

0 Karma

ashish_khantwal
Engager

@ITWhisperer - Through the stats command

appendpipe [stats avg(avg_mem_usage) as avg_mem_usage]

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="cluster_name	hypervisor_name	avg_cpu_utilization	avg_mem_usage	max_cpu_readiness	max_cpu_utilization	max_mem_usage
Cluster	Host1	8.2	29.62	0.18	17.65	29.63
Cluster	Host2	5.5	26.41	0.08	14.31	26.42
Cluster	Host3	1.7	30.51	0.01	3.48	30.52"
| multikv forceheader=1
| table cluster_name	hypervisor_name	avg_cpu_utilization	avg_mem_usage	max_cpu_readiness	max_cpu_utilization	max_mem_usage
| eventstats avg(avg_cpu_utilization) as avg_avg_cpu_utilization avg(avg_mem_usage) as avg_avg_mem_usage avg(max_cpu_readiness) as avg_max_cpu_readiness avg(max_cpu_utilization) as avg_max_cpu_utilization avg(max_mem_usage) as avg_max_mem_usage
| appendpipe [stats avg(avg_cpu_utilization) as avg_cpu_utilization avg(avg_mem_usage) as avg_mem_usage avg(max_cpu_readiness) as max_cpu_readiness avg(max_cpu_utilization) as max_cpu_utilization avg(max_mem_usage) as max_mem_usage]
| eval avg_cpu_utilization=if(abs(avg_cpu_utilization-avg_avg_cpu_utilization)>3,mvappend(avg_cpu_utilization,"RED"),avg_cpu_utilization)
| eval avg_mem_usage=if(abs(avg_mem_usage-avg_avg_mem_usage)>3,mvappend(avg_mem_usage,"RED"),avg_mem_usage)
| eval max_cpu_readiness=if(abs(max_cpu_readiness-avg_max_cpu_readiness)>3,mvappend(max_cpu_readiness,"RED"),max_cpu_readiness)
| eval max_cpu_utilization=if(abs(max_cpu_utilization-avg_max_cpu_utilization)>3,mvappend(max_cpu_utilization,"RED"),max_cpu_utilization)
| eval max_mem_usage=if(abs(max_mem_usage-avg_max_mem_usage)>3,mvappend(max_mem_usage,"RED"),max_mem_usage)
| fields - avg_avg_cpu_utilization avg_avg_mem_usage avg_max_cpu_readiness avg_max_cpu_utilization avg_max_mem_usage
0 Karma

ashish_khantwal
Engager

Thanks @ITWhisperer -But how do i match the average value with other values in the column? 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How did you create the average in the first place?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Using Classic dashboards, you can colour the cell in the table based on the value in the field. In your case, you should make the cells multi-value, with the second value being set when you want the colour to change. You then use CSS to hide the second value.

See this solution https://community.splunk.com/t5/Splunk-Search/How-to-change-table-cell-background-color-depends-on-s... 

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...