Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I find the average memory utilization ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a tough problem to even describe but I’ll give it a shot. I have an index that contains machine performance data for users and the machines they log onto. The data in the index is summarized into 1 hour increments. I would like to use the cpu_mhz_used field to find the busiest eight hours per user per day and then average the memory used for the time range chosen in the time picker. Said another way, I would like to find the average memory used for each user for the busiest eight hours of each day. Each user should have a maximum of eight busiest hours per day, even if they login to multiple machines.
Here is a small subset of the data.
_time user_name machine_name cpu_mhz_used memory_used
01/14/2015 13:30 user1 machine1 343 2707.604492
01/14/2015 14:30 user1 machine1 384 2711.213867
01/14/2015 15:30 user1 machine2 365 2001.279297
01/14/2015 15:30 user1 machine1 365 2736.143555
01/14/2015 16:30 user1 machine2 252 2209.796875
01/14/2015 16:30 user1 machine1 378 2734.118164
01/14/2015 17:30 user1 machine2 265 2239.34668
01/14/2015 17:30 user1 machine1 352 2746.083984
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I think I figured it out with the help of this answer to get me on the right track.
http://answers.splunk.com/answers/177149/how-to-get-1st-2nd-and-3rd-place-results-based-on.html
index=performancedata|
bucket _time span=1d|
sort _time, user_name, -cpu_mhz_used|
streamstats count as rank by user_name, _time|
where rank < 9|
stats avg(memory_used) by user_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I think I figured it out with the help of this answer to get me on the right track.
http://answers.splunk.com/answers/177149/how-to-get-1st-2nd-and-3rd-place-results-based-on.html
index=performancedata|
bucket _time span=1d|
sort _time, user_name, -cpu_mhz_used|
streamstats count as rank by user_name, _time|
where rank < 9|
stats avg(memory_used) by user_name
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
