Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I write a search to display the average memory utilization over a 4 hour, 7 day, and 30 day period in different time spans?

idab
Path Finder
‎09-08-2015 11:51 AM

I am having problems calculating the average memory utilization over different time spans.

Not sure if I'm doing this the right way. I need ideas.

index=perfmon counter="Available MBytes"  collection=Memory host=megatron earliest=-7d |bucket span=1m  _time |stats  avg(Value) as AvgValue min(Value) as MinValue max(Value) as MaxValue by  _time host | dedup host | eval AvgValue = round(AvgValue/1024 ,1) | eval MinValue = round(MinValue/1024,1) | eval MaxValue = round(MaxValue/1024,1)
Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-08-2015 04:23 PM

Easiest option and easy to read will be this

 index=perfmon counter="Available MBytes"  collection=Memory host=megatron earliest=-30d  |stats  avg(Value) as AvgValue_Last30d min(Value) as MinValue_Last30d max(Value) as MaxValue_Last30d by  host | eval AvgValue_Last30d = round(AvgValue_Last30d/1024 ,1) | eval MinValue_Last30d = round(MinValue_Last30d/1024,1) | eval MaxValue_Last30d = round(MaxValue_Last30d/1024,1) 
| append [search index=perfmon counter="Available MBytes"  collection=Memory host=megatron earliest=-7d  |stats  avg(Value) as AvgValue_Last7d min(Value) as MinValue_Last7d max(Value) as MaxValue_Last7d by  host  | eval AvgValue_Last7d = round(AvgValue_Last7d/1024 ,1) | eval MinValue_Last7d = round(MinValue_Last7d/1024,1) | eval MaxValue_Last7d = round(MaxValue_Last7d/1024,1)]
| append [search index=perfmon counter="Available MBytes"  collection=Memory host=megatron earliest=-4h  |stats  avg(Value) as AvgValue_Last4h min(Value) as MinValue_Last4h max(Value) as MaxValue_Last4h by  host  | eval AvgValue_Last4h = round(AvgValue_Last4h/1024 ,1) | eval MinValue_Last4h = round(MinValue_Last4h/1024,1) | eval MaxValue_Last4h = round(MaxValue_Last4h/1024,1)] 
| stats values(*) as * by host

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-08-2015 04:23 PM

Easiest option and easy to read will be this

 index=perfmon counter="Available MBytes"  collection=Memory host=megatron earliest=-30d  |stats  avg(Value) as AvgValue_Last30d min(Value) as MinValue_Last30d max(Value) as MaxValue_Last30d by  host | eval AvgValue_Last30d = round(AvgValue_Last30d/1024 ,1) | eval MinValue_Last30d = round(MinValue_Last30d/1024,1) | eval MaxValue_Last30d = round(MaxValue_Last30d/1024,1) 
| append [search index=perfmon counter="Available MBytes"  collection=Memory host=megatron earliest=-7d  |stats  avg(Value) as AvgValue_Last7d min(Value) as MinValue_Last7d max(Value) as MaxValue_Last7d by  host  | eval AvgValue_Last7d = round(AvgValue_Last7d/1024 ,1) | eval MinValue_Last7d = round(MinValue_Last7d/1024,1) | eval MaxValue_Last7d = round(MaxValue_Last7d/1024,1)]
| append [search index=perfmon counter="Available MBytes"  collection=Memory host=megatron earliest=-4h  |stats  avg(Value) as AvgValue_Last4h min(Value) as MinValue_Last4h max(Value) as MaxValue_Last4h by  host  | eval AvgValue_Last4h = round(AvgValue_Last4h/1024 ,1) | eval MinValue_Last4h = round(MinValue_Last4h/1024,1) | eval MaxValue_Last4h = round(MaxValue_Last4h/1024,1)] 
| stats values(*) as * by host
Reply
Solved! Jump to solution

idab
Path Finder
‎09-14-2015 05:23 PM

Hi somesoni,

Is there a way to use the anomalies command to find the anomalies that exist for each variable in respect to _last 4 hours?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-08-2015 12:54 PM

You want to show avg memory utilization (for a host OR all host) and show different column for last 4 hour, last 7 days and last 30 days period?

0 Karma
Reply
Solved! Jump to solution

idab
Path Finder
‎09-08-2015 03:19 PM

Yes ! for a host and show different column for last 4 hour, last 7 days and last 30 days period.

Curious to see how its done for all host as well 😉

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...