Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I get a load average of cpu using splunk q...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
udaymadupathi
New Member
07-27-2018
09:24 AM
I am seeing 3 load average values, need to get a query to get 3 values and get an average.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
07-28-2018
09:19 PM
Okay, given your data format, I don't think that multikv is going to properly extract your data. multikv is designed to get columnar data, ( see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv) and this data looks nothing like that.
Try this...
index="osw" host="ausilsoaapp49.us.dell.com" sourcetype="oswtop"
| rex "load average:\s*(?<load1>[\d\.]*),\s*(?<load2>[\d\.]*),\s*(?<load3>[\d\.]*)"
| fillnull value=0 load1 load2 load3
| eval LoadAverage = round((load1+load2+load3)/3,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
07-28-2018
09:19 PM
Okay, given your data format, I don't think that multikv is going to properly extract your data. multikv is designed to get columnar data, ( see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv) and this data looks nothing like that.
Try this...
index="osw" host="ausilsoaapp49.us.dell.com" sourcetype="oswtop"
| rex "load average:\s*(?<load1>[\d\.]*),\s*(?<load2>[\d\.]*),\s*(?<load3>[\d\.]*)"
| fillnull value=0 load1 load2 load3
| eval LoadAverage = round((load1+load2+load3)/3,2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
udaymadupathi
New Member
07-27-2018
09:56 AM
index="osw" host="ausilsoaapp49.us.dell.com" sourcetype="oswtop"| multikv fields load average | (?[\d.]+), (?[\d.]+), (?[\d.]+) |stats avg("Total load avg time") as "Average load avg"
top - 11:55:37 up 15 days, 20:56, 0 users, load average: 4035.66, 4033.69, 403
Tasks: 4315 total, 1 running, 4314 sleeping, 0 stopped, 0 zombie
%Cpu(s): 6.2 us, 7.3 sy, 0.0 ni, 86.3 id, 0.0 wa, 0.0 hi, 0.2 si, 0.0 st
KiB Mem : 16260328 total, 931420 free, 12506104 used, 2822804 buff/cache
KiB Swap: 2097148 total, 2097148 free, 0 used. 2042484 avail Mem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
07-27-2018
09:39 AM
please provide the query you are using and a sample event of your data so we can help you
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
