Splunk Search

Create a ratio of GCs

Path Finder

I would like to create a ratio of full GCs to GCs from my GC log. I can count up either event easy enough but I can't figure out how to count total GCs and then just full GCs such that I can display the percentage as a single value on a dashboard.

Hints?

0 Karma

Builder

Not sure if I got what you're after, but this may help you

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Addtotals

have a play with the options of this command, and it will calculate totals.

For the percentage you need to use the eval command

0 Karma

Builder

you can indeed set up new fields on the fly with the rex command if it's a field extraction (you create a new field) and you can also create new fields with the eval command if they are not extractions but transformations

0 Karma

Path Finder

This would be a more straightforward way of getting my percentage. But PSYoungGen and Full GC are just searches, not fields being picked up by Splunk. Can I define them as a field on the fly?
And Full GC is a subset of PSYoungGen, so a minor tweak to your logic above.

0 Karma

Builder

yes, could you do a field extraction for those values?that way they could be under the same FIELD. then try this:

sourcetype=gc.log FIELD="PSYoungGen" OR FIELD="Full GC" | stats count(FIELD=="PSYoungGen") AS "GCs", count(FIELD="FullGC") AS "Full_GCs", count AS "Total" ...... and then calculate your percentange

I was assuming that in some events you got this value "PSYoungGen" and in some other you got "Full GC" , if it does not work like that maybe you can still see where I was going with my explanation. Please do not hesitate to ask if you don't understand

0 Karma

Path Finder

Ok, this search worked for me. But I wonder if there is anything more efficient (shorter search sting)
sourcetype=gc.log "PSYoungGen"|stats count as "GCs"|append [ search sourcetype=gc.log "Full GC"|stats count as "FullGCs"]|stats sum(GCs) as GCs,sum(FullGCs) as FullGCs|eval PercentFullGCs=(100*FullGCs/GCs)|eval PercentFullGCs=round(PercentFullGCs,0)|table PercentFullGCs

0 Karma

Path Finder

sourcetype=gc.log "PSYoungGen"|eval series="GCs"|append [ search sourcetype=gc.log "Full GC"|eval series="Full GCs"]|stats count by series

0 Karma

Builder

can you type your search here?

0 Karma

Path Finder

Sort of. I have a table with a count for Full GCs and all GCs. Not sure how to get (Full GCs)/(GCs) as the final output.

0 Karma