Format output for timechart by

tgdvopab · ‎02-07-2019

Hi all,

My splunk search generates the following output via timechart:

_time;cpu_core:host1;cpu_core:host2
2019-02-06 00:30:00;1;2

Because I use the "by-clause" in the timechart, I get the field names like above --> cpu_core:hostname

But I want for each hostname one own rown, for example:

_time,hostname;cpu_core
2019-02-06 00:30:00;host1;1
2019-02-06 00:30:00;host2;2

How can I achieve this?

Thanks a lot

kamlesh_vaghela · ‎02-07-2019

@tgdvopab,

I'm adding in @renjith.nair's search. Can you please try this search??

index=performance_monitoring sourcetype="perf:cpu" 
| timechart limit=0 useother=false span=30min avg(cpu_user_percent) as avg_cpu_user_percent, avg(cpu_system_percent) as avg_cpu_system_percent by hostname 
| untable _time,hostname,cpu_core 
| eval column="",host="" 
| foreach hostname 
    [ eval column=mvindex(split('<<FIELD>>',":"),0),host=mvindex(split('<<FIELD>>',":"),1) ] 
| eval {column}=cpu_core 
| fields - cpu_core,hostname,column 
| stats values(*) as * by _time host

My Sample Search: I've used internal index to perform this like operations.

index="_internal" component=* group=per_* 
| timechart avg(kbps) as avg_cpu_user_percent, avg(kb) as avg_cpu_system_percent by group 
| untable _time,hostname,cpu_core 
| eval column="",host="" 
| foreach hostname 
    [ eval column=mvindex(split('<<FIELD>>',":"),0),host=mvindex(split('<<FIELD>>',":"),1) ] 
| eval {column}=cpu_core | fields - cpu_core,hostname,column | stats values(*) as * by _time host

Thanks

vishaltaneja070 · ‎02-07-2019

@tgdvopab

you can use something like this:

index=performance_monitoring sourcetype="perf:cpu" | bin _time span=30m | stats avg(cpu_user_percent) as avg_cpu_user_percent, avg(cpu_system_percent) as avg_cpu_system_percent by _time, hostname

kamlesh_vaghela · ‎02-07-2019

@tgdvopab
Can you please share sample events?

tgdvopab · ‎02-07-2019

Hi Kamlesh
I shared some sample events in the answer below.
Thanks for your help!

renjith_nair · ‎02-07-2019

@tgdvopab,

Try

"your current search"|rename "cpu_core: *" as *|untable _time,hostname,cpu_core

If this is not what your are looking for, please provide your current search

---
What goes around comes around. If it helps, hit it with Karma 🙂

tgdvopab · ‎02-07-2019

Thank you very much! 🙂 This seems to work as long as I have one field. What if I have multiple fields?
My query looks like the following:

index=performance_monitoring sourcetype="perf:cpu"
| timechart limit=0 useother=false span=30min avg(cpu_user_percent) as avg_cpu_user_percent, avg(cpu_system_percent) as avg_cpu_system_percent by hostname

The following fields are generated:

_time;avg_cpu_system_percent: host1;avg_cpu_system_percent: host2;avg_cpu_user_percent: host1;avg_cpu_user_percent: host2

And the data looks like the following:

2019-02-06 01:30:00;0.08933333333333333;0.11600000000000002;0.166;0.18533333333333335
2019-02-06 02:00:00;0.08833333333333335;0.109;0.164;0.18233333333333332

Now I would like to have the fields in the same order as explained:

_time;hostname;avg_cpu_system_percent;avg_cpu_user_percent

Is this possible?

Format output for timechart by

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Are you a member of the Splunk Community?

Format output for timechart by

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston