Splunk Search

Events data processing / rename variables

PetrK
Engager

Hi there, 

im pretty new in Splunk, so sorry if it is easy task. I have following example events in my index - 

It is a export from the Zabbix monitoring

 

8/31/23
4:39:31.000 PM	
{ [-]
   description: mem Heap Memory used
   groups: [ [+]
   ]
   hostname: WMS_Name
   itemid: 186985
   ns: 941726183
   tags.application: Memory
   type: 3
   value: 1199488000
}
Show as raw text
description = mem Heap Memory usedhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 1199488000
8/31/23
4:39:31.000 PM	
{ [-]
   description: mem Heap Memory max
   groups: [ [+]
   ]
   hostname: WMS_NAME1
   itemid: 186984
   ns: 883128205
   tags.application: Memory
   type: 3
   value: 8589934592
}
Show as raw text
description = mem Heap Memory maxhost = WMS_NAME1 hostname = WMS_NAME1 source = http:its_wms_zabbixvalue = 8589934592

 

Search query:

 

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024| table _time, hostname, ValueMB

 

 

In this case, there are two events - one for java heap memory usage and one for java heap max memory

Is there any way, how to rename values variable  based on the description in a event and join them in one table under the same time? Or maybe join both events in one?

The main goal is to display both values in one graph and be able to monitor long term usage. 

I found a way with using multisearch, but it takes too much time in processing and i believe there will be a more simple way. 

Thank you in advance for any hint

 

 

Labels (3)
Tags (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@PetrK - Yes, try this search and view them as timechart on Visualization tab.

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024 | eval memUsed=if(description="mem Heap Memory used", valueMB, null()) | eval memMax=if(description="mem Heap Memory max", valueMB, null()) | timechart avg(memUsed) as avg_memUsed, max(memMax) as max_memMax

 

I hope this helps!!! Kindly upvote if it does!!!

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@PetrK - Yes, try this search and view them as timechart on Visualization tab.

index="some_index" sourcetype="zabbix:history" hostname="WMS_NAME1" description="mem Heap Memory used" OR description="mem Heap Memory max"| spath "groups{}" | search "groups{}"="Instances/Tests*" | eval ValueMB=value/1024/1024 | eval memUsed=if(description="mem Heap Memory used", valueMB, null()) | eval memMax=if(description="mem Heap Memory max", valueMB, null()) | timechart avg(memUsed) as avg_memUsed, max(memMax) as max_memMax

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma

PetrK
Engager

Thank You ! That's what i'm looking for. 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...