I am looking at maximum processor usage by specific processes on a group of clients. By using stats max on my data (which contains host, instance, and % Processor Time fields), I can pull the max % Processor time that a given process reached on any client in the group. Is there a way to get Splunk to tell me which host (or record) that maximum came from? Ideally I'd like to be able to mouse over the entry in a bar graph and have it tell me something like "iexplore: 99%, host: foo1".
Yes, you can do this using the "sort" command, supposing the processor time is in a field called % Processor Time
:
... | sort - "% Processor Time" | head 1 | table host instance "% Processor Time"
Now, you can make this more interesting by looking at the top per host:
... | dedup host sortby - "% Processor Time" | table host instance "% Processor Time"
Yes, you can do this using the "sort" command, supposing the processor time is in a field called % Processor Time
:
... | sort - "% Processor Time" | head 1 | table host instance "% Processor Time"
Now, you can make this more interesting by looking at the top per host:
... | dedup host sortby - "% Processor Time" | table host instance "% Processor Time"
I used stats to split out the max by each host and instance, then used eval to create a new field (eval hostInstance = instance . ":" . host), then displayed the max value with the conjoined field. Inelegant but functional.
I think this is the way to go, though:
...| stats max(Value) as Max by instance,host | dedup instance sortby -Max
What was the other way that you ended up using?
I ended up doing this another way, but I think this works too, so I'll mark it up. Thanks.