Splunk Search

Events data processing / rename variables

PetrK
Engager

Hi there, 

im pretty new in Splunk, so sorry if it is easy task. I have following example events in my index - 

It is a export from the Zabbix monitoring

 

8/31/23
4:39:31.000 PM	
{ [-]
   description: mem Heap Memory used
   groups: [ [+]
   ]
   hostname: WMS_Name
   itemid: 186985
   ns: 941726183
   tags.application: Memory
   type: 3
   value: 1199488000
}
Show as raw text
description = mem Heap Memory usedhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 1199488000
8/31/23
4:39:31.000 PM	
{ [-]
   description: mem Heap Memory max
   groups: [ [+]
   ]
   hostname: WMS_NAME1
   itemid: 186984
   ns: 883128205
   tags.application: Memory
   type: 3
   value: 8589934592
}
Show as raw text
description = mem Heap Memory maxhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 8589934592

 

Search query:

 

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024| table _time, hostname, ValueMB

 

 

In this case, there are two events - one for java heap memory usage and one for java heap max memory

Is there any way, how to rename values variable  based on the description in a event and join them in one table under the same time? Or maybe join both events in one?

The main goal is to display both values in one graph and be able to monitor long term usage. 

I found a way with using multisearch, but it takes too much time in processing and i believe there will be a more simple way. 

Thank you in advance for any hint

 

 

Labels (3)
Tags (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@PetrK - Yes, try this search and view them as timechart on Visualization tab.

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024 | eval memUsed=if(description="mem Heap Memory used", valueMB, null()) | eval memMax=if(description="mem Heap Memory max", valueMB, null()) | timechart avg(memUsed) as avg_memUsed, max(memMax) as max_memMax

 

I hope this helps!!! Kindly upvote if it does!!!

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@PetrK - Yes, try this search and view them as timechart on Visualization tab.

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024 | eval memUsed=if(description="mem Heap Memory used", valueMB, null()) | eval memMax=if(description="mem Heap Memory max", valueMB, null()) | timechart avg(memUsed) as avg_memUsed, max(memMax) as max_memMax

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma

PetrK
Engager

Thank You ! That's what i'm looking for. 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...