Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert  `_time` to the column and  `host` as an index while using `mstats`?

microsac
Explorer
‎03-31-2022 05:08 AM

How to convert  `_time` to the column and  `host` as an index while using `mstats`?

| mstats avg(_value) prestats=true WHERE metric_name="cpu.*" AND index="*" AND
(host="host01.example.com" OR 
host="host02.example.com" OR 
host="host03.example.com" OR 
host="host04.example.com" OR 
host="host05.example.com" OR
host="host06.example.com" 
) AND `sai_metrics_indexes` span=auto BY metric_name
| timechart avg(_value) as "Avg" span=30m by metric_name
| fillnull value=0 
| foreach *[| eval "<<FIELD>>"=round('<<FIELD>>',2)]

 The above results in as follows:

microsac_0-1648727550403.png

What is Desired:

host               _time                 cpu.idle cpu.interrupt cpu.nice  cpu.softirq  cpu.steal cpu.system cpu.user cpu.wait 
host01.example.com 2022-03-31 07:30:00   57.56    0.00          22.98     0.08         0.00      18.75      0.59     0.04
host01.example.com 2022-03-31 08:00:00   59.08    0.00          22.02     0.11         0.00      18.06      0.70     0.04
host01.example.com 2022-03-31 08:00:00   61.79    0.00          20.53     0.08         0.00      16.96      0.62     0.04


Any help will be uch appeciated.

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-31-2022 11:43 AM 
## Since timechart only support group by one field, we're using this alternative implementation. Doing bucket of _time with same span that was used in timechart##
| bucket span=30m _time
## Merging two fields, so that charting can be done for two fields.
| eval temp=host."##"._time
## Running chart with merge field appearing as rows and metric_name values are column.
| chart avg(_value) as "Avg" over temp by metric_name
| fillnull value=0 
| foreach cpu.* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]
## Getting those merged field back.
| eval host=mvindex(split(temp,"##"),0)
| eval _time=tonumber(mvindex(split(temp,"##"),1))
| fields - temp | table host _time *

View solution in original post

0 Karma
Reply
Solved! Jump to solution

microsac
Explorer
‎03-31-2022 08:23 PM

@somesoni2  

| eval host=mvindex(split(temp,"##"),0)  <-- Can you please explain this ?
| eval _time=tonumber(mvindex(split(temp,"##"),1))  <-- Can you please explain this ?
| fields - temp | table host _time *

What is the meaning of using "##", does it has a special meaning here?

 

0 Karma
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎03-31-2022 07:51 AM

You haven't use host in SPL.

Try to use host filed in your SPL first either in stats or BY.

in last 

 |table host _time *
0 Karma
Reply
Solved! Jump to solution

microsac
Explorer
‎03-31-2022 08:23 AM

@dhirendra761  i tried that in the last line of search but did not  list the host, it  shows the host column but do not print the hostname's .. it turns blank.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-31-2022 07:45 AM

Give this a try

| mstats avg(_value) prestats=true WHERE metric_name="cpu.*" AND index="*" AND
(host="host01.example.com" OR 
host="host02.example.com" OR 
host="host03.example.com" OR 
host="host04.example.com" OR 
host="host05.example.com" OR
host="host06.example.com" 
) AND `sai_metrics_indexes` span=auto BY metric_name host
| bucket span=30m _time
| eval temp=host."##"._time
| chart avg(_value) as "Avg" over temp by metric_name
| fillnull value=0 
| foreach cpu.* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]
| eval host=mvindex(split(temp,"##"),0)
| eval _time=tonumber(mvindex(split(temp,"##"),1))
| fields - temp | table host _time *
Reply
Solved! Jump to solution

microsac
Explorer
‎03-31-2022 08:06 AM

@somesoni2 , this works can you explain the part you placed it working that will also help posterity.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-31-2022 11:43 AM 
## Since timechart only support group by one field, we're using this alternative implementation. Doing bucket of _time with same span that was used in timechart##
| bucket span=30m _time
## Merging two fields, so that charting can be done for two fields.
| eval temp=host."##"._time
## Running chart with merge field appearing as rows and metric_name values are column.
| chart avg(_value) as "Avg" over temp by metric_name
| fillnull value=0 
| foreach cpu.* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]
## Getting those merged field back.
| eval host=mvindex(split(temp,"##"),0)
| eval _time=tonumber(mvindex(split(temp,"##"),1))
| fields - temp | table host _time *
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...