Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Events data processing / rename variables

PetrK
Engager
‎08-31-2023 08:34 AM

Hi there, 

im pretty new in Splunk, so sorry if it is easy task. I have following example events in my index - 

It is a export from the Zabbix monitoring

 

8/31/23
4:39:31.000 PM	
{ [-]
   description: mem Heap Memory used
   groups: [ [+]
   ]
   hostname: WMS_Name
   itemid: 186985
   ns: 941726183
   tags.application: Memory
   type: 3
   value: 1199488000
}
Show as raw text
description = mem Heap Memory usedhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 1199488000
8/31/23
4:39:31.000 PM	
{ [-]
   description: mem Heap Memory max
   groups: [ [+]
   ]
   hostname: WMS_NAME1
   itemid: 186984
   ns: 883128205
   tags.application: Memory
   type: 3
   value: 8589934592
}
Show as raw text
description = mem Heap Memory maxhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 8589934592

 

Search query:

 

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024| table _time, hostname, ValueMB

 

 

In this case, there are two events - one for java heap memory usage and one for java heap max memory

Is there any way, how to rename values variable  based on the description in a event and join them in one table under the same time? Or maybe join both events in one?

The main goal is to display both values in one graph and be able to monitor long term usage. 

I found a way with using multisearch, but it takes too much time in processing and i believe there will be a more simple way. 

Thank you in advance for any hint

 

 

Labels (3)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎08-31-2023 09:04 AM

@PetrK - Yes, try this search and view them as timechart on Visualization tab.

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024 | eval memUsed=if(description="mem Heap Memory used", valueMB, null()) | eval memMax=if(description="mem Heap Memory max", valueMB, null()) | timechart avg(memUsed) as avg_memUsed, max(memMax) as max_memMax

 

I hope this helps!!! Kindly upvote if it does!!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎08-31-2023 09:04 AM

@PetrK - Yes, try this search and view them as timechart on Visualization tab.

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024 | eval memUsed=if(description="mem Heap Memory used", valueMB, null()) | eval memMax=if(description="mem Heap Memory max", valueMB, null()) | timechart avg(memUsed) as avg_memUsed, max(memMax) as max_memMax

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma
Reply
Solved! Jump to solution

PetrK
Engager
‎09-01-2023 01:48 AM

Thank You ! That's what i'm looking for. 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...