Hello
I want t to do a timechart with unit field values in nanoseconds and based on a token filter $field$
The timechart is based on the code below:
index="windows-wmi" sourcetype="WMI:CPUload" host="$field1$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
| rex field=Name "^(?<Service>[^\/]+)[\/]"
| eval _time = strftime(_time, "%Y-%m-%d %H:%M")
| sort -_time
| stats avg(PercentProcessorTime) as PercentProcessorTime_AVG, avg(Timestamp_Sys100NS) as Timestamp_Sys100NS_AVG by host, Service
The timechart code is
index="windows-wmi" sourcetype="WMI:CPUload" host="$field1$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
| rex field=Name "^(?<Service>[^\/]+)[\/]"
| eval _time = strftime(_time, "%Y-%m-%d %H:%M")
| sort -_time
|timechart span=10m avg(PercentProcessorTime) as PercentProcessorTime_AVG by Service
First i have no value displayed in the graph, just a linear line with value = 0
What would I have to do to display these values in a better way?
Thanks a lot
Hi @jip31.
Try removing the eval _time = strftime(_time, "%Y-%m-%d %H:%M")
from your search. Splunk automatically converts it into a readable format unless you assign _time to another variable.
index="windows-wmi" sourcetype="WMI:CPUload" host="$field1$" (Name="mfetp/" OR Name="mcshield/") Name=$Service$
| rex field=Name "^(?[^\/]+)[\/]" |timechart span=10m avg(PercentProcessorTime) as PercentProcessorTime_AVG by Service
Hi @jip31.
Try removing the eval _time = strftime(_time, "%Y-%m-%d %H:%M")
from your search. Splunk automatically converts it into a readable format unless you assign _time to another variable.
index="windows-wmi" sourcetype="WMI:CPUload" host="$field1$" (Name="mfetp/" OR Name="mcshield/") Name=$Service$
| rex field=Name "^(?[^\/]+)[\/]" |timechart span=10m avg(PercentProcessorTime) as PercentProcessorTime_AVG by Service
hi
thanks it was the issue....
i have another question : in this chart i need another curve
the code is the same than for the first curve, the data refer just to another machine
how can i do this please??
Hi @jip31, if above answer solved your issue, please upvote and accept it. For your second query, add both hosts to the filter (host="host1" OR host="host2")
and use eval
in avg
hi renjith
and many thanks
yesterday there was the code for the eval function but i cant see it today??
can you give it again please???