Splunk Enterprise

Unable to get the sum of CPU time over a period of 7 days.....however it does not give the desired result.

chinmay25
Path Finder

| rex field=DATA "\S(?<DATE>.{10})(?<WORKLOAD>.{3})\S.{137}(?<CPU>.{7}).*"
| where WORKLOAD in("F91","F92","FA1","FA2","FA3","FB2","FC4","FC5","FC6","FH1","FH2","FH3","FH4","FNC","FSC")
| eval CPU_TIME=replace(CPU,",","")
| convert num(CPU_TIME) as CPUTIME
| stats sum(CPUTIME) as CPU_TIME_SEC by WORKLOAD

Labels (1)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
Please provide more information.
What results are you getting? What results do you expect? What does the data look like?
---
If this reply helps you, Karma would be appreciated.
0 Karma

chinmay25
Path Finder

At the moment there is no result....the expectation is to get the sum of the CPU time over a period of last 7 days for each workload. Currently I am extracting the CPU time from the data. The CPU time in the original data is in seconds.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So you'll want to debug your query to figure out why there are no results.

Start with the minimum commands to verify you get the expected events and fields.

index= foo 
| rex field=DATA "\S(?<DATE>.{10})(?<WORKLOAD>.{3})\S.{137}(?<CPU>.{7}).*"

If that works, add one command at a time until you get no results.  The last command added likely is the cause.

---
If this reply helps you, Karma would be appreciated.
0 Karma

chinmay25
Path Finder

Hi Rich,

I did do that over the weekend, and the problem is with the Stats sum(.....) command. I dont see any results after adding that command.

I just replaced it with 

| stats values(CPUTIME) as CPU_TIME_SEC by WORKLOAD

and I get the following result....its the CPU time in seconds for the last 7 days. 

F91

3372

3488

3522

4932

14322

F92
733
736
741
785
970
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
Are there events where the WORKLOAD field is NULL? If so, that will prevent stats from producing results.
Also, do the blank lines in the upper-right box above indicate missing data? That also could affect stats.
---
If this reply helps you, Karma would be appreciated.
0 Karma

chinmay25
Path Finder

I am working with a different query for Online CPU time in seconds and in that query the stats sum command work.

here is the other query...

| rex field=DATA "\S(?<DATE>.{10})(?<WORKLOAD>.{3})\S.{137}(?<CPU>.{7}).*"
| where WORKLOAD in("F91","F92","FA1","FA2","FA3","FB2","FC4","FC5","FC6","FH1","FH2","FH3","FH4","FNC","FSC")
| eval CPU_min=(CPU/60)
| eval CPU_MIN=round(CPU_min, 2)
| table WORKLOAD CPU_MIN
| stats sum(CPU_MIN) as ONLINE_CPU_TIME by WORKLOAD

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I wonder if convert is throwing things off in the first search.

---
If this reply helps you, Karma would be appreciated.
0 Karma

chinmay25
Path Finder

without the convert command also I am seeing the same problem....the original data is in seconds.

0 Karma

chinmay25
Path Finder

No there is no missing data.. and the lines are not blank. I just copied the second set of results instead of typing hence you see the difference between F91 and F92

Tags (1)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...