Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display load average values in a chart?

rajgowd1
Communicator
‎01-19-2017 03:05 PM

Hi,
i have written script which extracts the load average values and provides the output.by using below output, how can we create charts to display load average?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-19-2017 06:16 PM

Since there is no time given in the sample so I will guess it. Let's say if load averages are being calculated at discrete intervals, i.e. the 15 min average does not have data included from the 5 minute average, and 5 minute average doesn't have 1 minute average in it, then if each "output" line is a single event the intuitive graph that becomes is:

index=yourIndex sourcetype=yourSourcetype loadaverage
| rex "value=\"(?<loadAvg>[^\"]+)\""
| timechart max(loadAvg) as LoadAvg

From the visualization options choose Format >> General >> Null Values as Connect to ensure the average stays continuous in case of missing values . That shall form the basic timechart at least to start off. Alternatively you can use min function in timechart.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-19-2017 06:16 PM

Since there is no time given in the sample so I will guess it. Let's say if load averages are being calculated at discrete intervals, i.e. the 15 min average does not have data included from the 5 minute average, and 5 minute average doesn't have 1 minute average in it, then if each "output" line is a single event the intuitive graph that becomes is:

index=yourIndex sourcetype=yourSourcetype loadaverage
| rex "value=\"(?<loadAvg>[^\"]+)\""
| timechart max(loadAvg) as LoadAvg

From the visualization options choose Format >> General >> Null Values as Connect to ensure the average stays continuous in case of missing values . That shall form the basic timechart at least to start off. Alternatively you can use min function in timechart.

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-19-2017 06:51 PM

thank you for your response.

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-19-2017 07:10 PM

can we show values in single line like below

0.00,0.20,10.00

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-19-2017 08:30 PM

you might want to explore the transpose option, something like:

index=yourIndex sourcetype=yourSourcetype loadaverage
| rex "value=\"(?<loadAvg>[^\"]+)\""
| table loadAvg
| transpose
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-19-2017 05:23 PM

YOu may be missing the output that you wanted to show.

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-19-2017 05:46 PM

somehow i am not able to copy entire output,i copied single line
but here is the last column from the out put

name="loadaverage|last1min" value="0.00"
name="loadaverage|last5min" value="0.34"/>
name="loadaverage|last15min" value="5.00"/>

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-19-2017 05:25 PM

sorry here is the output

system time="Thu Jan 19 20:24:50 2017" HostName ="gpd-653-fc88" Days ="76" Users ="2" name="loadaverage|last1min" value="0.00"/>

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...