Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display load average values in a chart?

rajgowd1
Communicator
‎01-19-2017 03:05 PM

Hi,
i have written script which extracts the load average values and provides the output.by using below output, how can we create charts to display load average?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-19-2017 06:16 PM

Since there is no time given in the sample so I will guess it. Let's say if load averages are being calculated at discrete intervals, i.e. the 15 min average does not have data included from the 5 minute average, and 5 minute average doesn't have 1 minute average in it, then if each "output" line is a single event the intuitive graph that becomes is:

index=yourIndex sourcetype=yourSourcetype loadaverage
| rex "value=\"(?<loadAvg>[^\"]+)\""
| timechart max(loadAvg) as LoadAvg

From the visualization options choose Format >> General >> Null Values as Connect to ensure the average stays continuous in case of missing values . That shall form the basic timechart at least to start off. Alternatively you can use min function in timechart.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-19-2017 06:16 PM

Since there is no time given in the sample so I will guess it. Let's say if load averages are being calculated at discrete intervals, i.e. the 15 min average does not have data included from the 5 minute average, and 5 minute average doesn't have 1 minute average in it, then if each "output" line is a single event the intuitive graph that becomes is:

index=yourIndex sourcetype=yourSourcetype loadaverage
| rex "value=\"(?<loadAvg>[^\"]+)\""
| timechart max(loadAvg) as LoadAvg

From the visualization options choose Format >> General >> Null Values as Connect to ensure the average stays continuous in case of missing values . That shall form the basic timechart at least to start off. Alternatively you can use min function in timechart.

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-19-2017 06:51 PM

thank you for your response.

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-19-2017 07:10 PM

can we show values in single line like below

0.00,0.20,10.00

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-19-2017 08:30 PM

you might want to explore the transpose option, something like:

index=yourIndex sourcetype=yourSourcetype loadaverage
| rex "value=\"(?<loadAvg>[^\"]+)\""
| table loadAvg
| transpose
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-19-2017 05:23 PM

YOu may be missing the output that you wanted to show.

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-19-2017 05:46 PM

somehow i am not able to copy entire output,i copied single line
but here is the last column from the out put

name="loadaverage|last1min" value="0.00"
name="loadaverage|last5min" value="0.34"/>
name="loadaverage|last15min" value="5.00"/>

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-19-2017 05:25 PM

sorry here is the output

system time="Thu Jan 19 20:24:50 2017" HostName ="gpd-653-fc88" Days ="76" Users ="2" name="loadaverage|last1min" value="0.00"/>

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...