Splunk Search

Events data processing / rename variables

PetrK
Engager

Hi there, 

im pretty new in Splunk, so sorry if it is easy task. I have following example events in my index - 

It is a export from the Zabbix monitoring

 

8/31/23
4:39:31.000 PM	
{ [-]
   description: mem Heap Memory used
   groups: [ [+]
   ]
   hostname: WMS_Name
   itemid: 186985
   ns: 941726183
   tags.application: Memory
   type: 3
   value: 1199488000
}
Show as raw text
description = mem Heap Memory usedhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 1199488000
8/31/23
4:39:31.000 PM	
{ [-]
   description: mem Heap Memory max
   groups: [ [+]
   ]
   hostname: WMS_NAME1
   itemid: 186984
   ns: 883128205
   tags.application: Memory
   type: 3
   value: 8589934592
}
Show as raw text
description = mem Heap Memory maxhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 8589934592

 

Search query:

 

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024| table _time, hostname, ValueMB

 

 

In this case, there are two events - one for java heap memory usage and one for java heap max memory

Is there any way, how to rename values variable  based on the description in a event and join them in one table under the same time? Or maybe join both events in one?

The main goal is to display both values in one graph and be able to monitor long term usage. 

I found a way with using multisearch, but it takes too much time in processing and i believe there will be a more simple way. 

Thank you in advance for any hint

 

 

Labels (3)
Tags (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@PetrK - Yes, try this search and view them as timechart on Visualization tab.

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024 | eval memUsed=if(description="mem Heap Memory used", valueMB, null()) | eval memMax=if(description="mem Heap Memory max", valueMB, null()) | timechart avg(memUsed) as avg_memUsed, max(memMax) as max_memMax

 

I hope this helps!!! Kindly upvote if it does!!!

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@PetrK - Yes, try this search and view them as timechart on Visualization tab.

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024 | eval memUsed=if(description="mem Heap Memory used", valueMB, null()) | eval memMax=if(description="mem Heap Memory max", valueMB, null()) | timechart avg(memUsed) as avg_memUsed, max(memMax) as max_memMax

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma

PetrK
Engager

Thank You ! That's what i'm looking for. 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...