Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to aggregate the values from all disks in a single value and display a line representing IOPS from these disks?

jorgefg
Explorer
‎12-15-2016 07:43 AM

Hi folks,
I'm using the following search to display a graph with the disk throughput (IOPS) for every disk in a host:

index="os" source="iostat" host="splunk" | timechart span=5m avg(total_ops) by Device

alt text

But I don't know how to aggregate the values from all disks in a single value and display only a line with all the IOPS from all disks.

Any suggestion would be appreciated.

Thanks!
Jorge.

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-15-2016 08:45 AM

How about this

index="os" source="iostat" host="splunk" | timechart span=5m avg(total_ops) by Device | addtotals fieldname=IOPS | table _time IOPS

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎12-15-2016 11:30 AM

Could you please clarify whether you want to see total of IOPS for all devices or average of all IOPS? If possible with dummy data examples as table. I would expect sum() and max() as the stats to be used in the following case instead of average unless if that is what you want to show for all IOPS by Devices.

Following will show single TotalIOPS line on top of your existing series.

index="os" source="iostat" host="splunk" |  eventstats max(total_ops) as Total   | timechart span=5m max(total_ops) as Max max(Total) as Total by Device |fields - "Total: sdb" "Total: sdc" | rename "Total: sda" as Total 

 | <use fields -  to remove other Total fields> | <rename one of the Total field as per your need>

Finally, create Chart Overlay with Total series.

If you want to perform overall average then you can use avg(total_ops) instead of sum(total_ops).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-15-2016 08:45 AM

How about this

index="os" source="iostat" host="splunk" | timechart span=5m avg(total_ops) by Device | addtotals fieldname=IOPS | table _time IOPS
Reply
Solved! Jump to solution

jorgefg
Explorer
‎12-15-2016 12:39 PM

Great, this is exactly what I was looking for! Thanks for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...