Splunk Search

Cloudwatch metrics averages/max etc grouped by account?

pileofdata
Loves-to-Learn

Greetings,

Splunk user but newbie still. 

I am building some searches to show AWS cloudwatch data averages per account.

An example would be "Average CPUUtilization in account X during the past 30 days"

I'm currently getting data per EC2 instance with the following search:

index="aws" sourcetype="aws:cloudwatch" metric_dimensions="InstanceId=*" metric_name = CPUUtilization | table account_id metric_dimensions metric_name period Average

But of course, this shows only average per instance; I want to roll that data up to the account level and get the average for all instances within an account. 

I suspect "stats" is what I need to use, but a nudge in the right direction would greatly help.

 

 

Labels (3)
Tags (2)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Do you mean

index="aws" sourcetype="aws:cloudwatch" metric_dimensions="InstanceId=*" metric_name = CPUUtilization
| stats sum(eval(period*Average)) as totalAverage sum(period) as totalPeriod by account_id
| eval totalAverage = totalAverage/totalPeriod
0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...