Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to aggregate the values from all disks in a single value and display a line representing IOPS from these disks?

jorgefg
Explorer
‎12-15-2016 07:43 AM

Hi folks,
I'm using the following search to display a graph with the disk throughput (IOPS) for every disk in a host:

index="os" source="iostat" host="splunk" | timechart span=5m avg(total_ops) by Device

alt text

But I don't know how to aggregate the values from all disks in a single value and display only a line with all the IOPS from all disks.

Any suggestion would be appreciated.

Thanks!
Jorge.

Preview file
78 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-15-2016 08:45 AM

How about this

index="os" source="iostat" host="splunk" | timechart span=5m avg(total_ops) by Device | addtotals fieldname=IOPS | table _time IOPS

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎12-15-2016 11:30 AM

Could you please clarify whether you want to see total of IOPS for all devices or average of all IOPS? If possible with dummy data examples as table. I would expect sum() and max() as the stats to be used in the following case instead of average unless if that is what you want to show for all IOPS by Devices.

Following will show single TotalIOPS line on top of your existing series.

index="os" source="iostat" host="splunk" |  eventstats max(total_ops) as Total   | timechart span=5m max(total_ops) as Max max(Total) as Total by Device |fields - "Total: sdb" "Total: sdc" | rename "Total: sda" as Total 

 | <use fields -  to remove other Total fields> | <rename one of the Total field as per your need>

Finally, create Chart Overlay with Total series.

If you want to perform overall average then you can use avg(total_ops) instead of sum(total_ops).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-15-2016 08:45 AM

How about this

index="os" source="iostat" host="splunk" | timechart span=5m avg(total_ops) by Device | addtotals fieldname=IOPS | table _time IOPS
Reply
Solved! Jump to solution

jorgefg
Explorer
‎12-15-2016 12:39 PM

Great, this is exactly what I was looking for! Thanks for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...