Format output for timechart by

tgdvopab · ‎02-07-2019

Hi all,

My splunk search generates the following output via timechart:

_time;cpu_core:host1;cpu_core:host2
2019-02-06 00:30:00;1;2

Because I use the "by-clause" in the timechart, I get the field names like above --> cpu_core:hostname

But I want for each hostname one own rown, for example:

_time,hostname;cpu_core
2019-02-06 00:30:00;host1;1
2019-02-06 00:30:00;host2;2

How can I achieve this?

Thanks a lot

kamlesh_vaghela · ‎02-07-2019

@tgdvopab,

I'm adding in @renjith.nair's search. Can you please try this search??

index=performance_monitoring sourcetype="perf:cpu" 
| timechart limit=0 useother=false span=30min avg(cpu_user_percent) as avg_cpu_user_percent, avg(cpu_system_percent) as avg_cpu_system_percent by hostname 
| untable _time,hostname,cpu_core 
| eval column="",host="" 
| foreach hostname 
    [ eval column=mvindex(split('<<FIELD>>',":"),0),host=mvindex(split('<<FIELD>>',":"),1) ] 
| eval {column}=cpu_core 
| fields - cpu_core,hostname,column 
| stats values(*) as * by _time host

My Sample Search: I've used internal index to perform this like operations.

index="_internal" component=* group=per_* 
| timechart avg(kbps) as avg_cpu_user_percent, avg(kb) as avg_cpu_system_percent by group 
| untable _time,hostname,cpu_core 
| eval column="",host="" 
| foreach hostname 
    [ eval column=mvindex(split('<<FIELD>>',":"),0),host=mvindex(split('<<FIELD>>',":"),1) ] 
| eval {column}=cpu_core | fields - cpu_core,hostname,column | stats values(*) as * by _time host

Thanks

vishaltaneja070 · ‎02-07-2019

@tgdvopab

you can use something like this:

index=performance_monitoring sourcetype="perf:cpu" | bin _time span=30m | stats avg(cpu_user_percent) as avg_cpu_user_percent, avg(cpu_system_percent) as avg_cpu_system_percent by _time, hostname

kamlesh_vaghela · ‎02-07-2019

@tgdvopab
Can you please share sample events?

tgdvopab · ‎02-07-2019

Hi Kamlesh
I shared some sample events in the answer below.
Thanks for your help!

renjith_nair · ‎02-07-2019

@tgdvopab,

Try

"your current search"|rename "cpu_core: *" as *|untable _time,hostname,cpu_core

If this is not what your are looking for, please provide your current search

---
What goes around comes around. If it helps, hit it with Karma 🙂

tgdvopab · ‎02-07-2019

Thank you very much! 🙂 This seems to work as long as I have one field. What if I have multiple fields?
My query looks like the following:

index=performance_monitoring sourcetype="perf:cpu"
| timechart limit=0 useother=false span=30min avg(cpu_user_percent) as avg_cpu_user_percent, avg(cpu_system_percent) as avg_cpu_system_percent by hostname

The following fields are generated:

_time;avg_cpu_system_percent: host1;avg_cpu_system_percent: host2;avg_cpu_user_percent: host1;avg_cpu_user_percent: host2

And the data looks like the following:

2019-02-06 01:30:00;0.08933333333333333;0.11600000000000002;0.166;0.18533333333333335
2019-02-06 02:00:00;0.08833333333333335;0.109;0.164;0.18233333333333332

Now I would like to have the fields in the same order as explained:

_time;hostname;avg_cpu_system_percent;avg_cpu_user_percent

Is this possible?

Format output for timechart by

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability