- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- help to filter a timechart from a dropdown list fi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
I use the search below
As you can see, I stat the events by SITE
`CPU`
| fields process_cpu_used_percent host
| eval slottime = strftime(_time, "%H%M")
| where (slottime >= 900 AND slottime <= 1700)
| lookup fo_all HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| eval cpu_range=case(process_cpu_used_percent>0 AND process_cpu_used_percent <=20,"0-20",
process_cpu_used_percent>20 AND process_cpu_used_percent <=40,"20-40",
process_cpu_used_percent>40 AND process_cpu_used_percent <=60,"40-60",
process_cpu_used_percent>60 AND process_cpu_used_percent <=80,"60-80",
process_cpu_used_percent>80 AND process_cpu_used_percent <=100,"80-100")
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time, cpu_range SITE
Now I need to do a timechart
So I add this line
| timechart span=1d dc(host) by cpu_range
But I need to update my timechart by SITE because I use a dropdown list with differents SITE name
As there is no SITE field in the timechart line, I lose this field so I am unable to display the timechart by SITE
I have tried this but it doesnt works
| timechart span=1d dc(host) by cpu_range SITE
What I have to do for being able to filter the timechart by SITE?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can't timechart BY two things, only one.
Try something like this:
`CPU`
| fields process_cpu_used_percent host
| eval slottime = strftime(_time, "%H%M")
| where (slottime >= 900 AND slottime <= 1700)
| lookup fo_all HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| timechart avg(process_cpu_used_percent) as avg_process_cpu_used_percent by SITE
Now the second part you seem to want is to bucket the cpu into 20% chunks. But ... well why? 🙂 I do get what you are after, but I don't think it's sensible when you are timecharting.
There's no real solution to doing what you want easily, because that makes no sense on the timescale we're using, but that's OK, here's an option anyway.
`CPU`
| fields process_cpu_used_percent host
| eval slottime = strftime(_time, "%H%M")
| where (slottime >= 900 AND slottime <= 1700)
| lookup fo_all HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| timechart avg(process_cpu_used_percent) as avg_process_cpu_used_percent by SITE
| eval avg_process_cpu_used_percent = round(avg_process_cpu_used_percent/20, 0) * 20I mean, you can't average by that, or take the average of a string like "20-40% CPU", so I really don't get ... well, . Anyway, the last one above converts a continuous 0-100 percent into 1) divide by 20 to chop it down to 0.00000 to 5.00000 (with decimal), round it to get rid of the decimals (now just 0 to 5), then multiple it back out to get 0,20,40,60, 80 or 100. Other math could be done, if this is actually want you want to do, but I don't think it is.
And you could *totally* just replace that eval at the end with `| bin bins=5 temperature`, which does in fact use the bin command and makes the *statistics* tab look useful, but there's no way to chart that properly in a timechart. At least no way as far as I can tell.
Anyway, happy splunking!
-Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can't timechart BY two things, only one.
Try something like this:
`CPU`
| fields process_cpu_used_percent host
| eval slottime = strftime(_time, "%H%M")
| where (slottime >= 900 AND slottime <= 1700)
| lookup fo_all HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| timechart avg(process_cpu_used_percent) as avg_process_cpu_used_percent by SITE
Now the second part you seem to want is to bucket the cpu into 20% chunks. But ... well why? 🙂 I do get what you are after, but I don't think it's sensible when you are timecharting.
There's no real solution to doing what you want easily, because that makes no sense on the timescale we're using, but that's OK, here's an option anyway.
`CPU`
| fields process_cpu_used_percent host
| eval slottime = strftime(_time, "%H%M")
| where (slottime >= 900 AND slottime <= 1700)
| lookup fo_all HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| timechart avg(process_cpu_used_percent) as avg_process_cpu_used_percent by SITE
| eval avg_process_cpu_used_percent = round(avg_process_cpu_used_percent/20, 0) * 20I mean, you can't average by that, or take the average of a string like "20-40% CPU", so I really don't get ... well, . Anyway, the last one above converts a continuous 0-100 percent into 1) divide by 20 to chop it down to 0.00000 to 5.00000 (with decimal), round it to get rid of the decimals (now just 0 to 5), then multiple it back out to get 0,20,40,60, 80 or 100. Other math could be done, if this is actually want you want to do, but I don't think it is.
And you could *totally* just replace that eval at the end with `| bin bins=5 temperature`, which does in fact use the bin command and makes the *statistics* tab look useful, but there's no way to chart that properly in a timechart. At least no way as far as I can tell.
Anyway, happy splunking!
-Rich
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
