Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get Splunk to evaluate numbers without ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have my apache servers' mod_status output (/server-status?auto) being pulled into Splunk with a scripted input. The CPU usage of apache is its own field in the search results as a numeric value. Problem is the apache servers use less that 1% of CPU when things are normal so the data being pulled into Splunk shows up like
- apache_cpu_usage=.078852
- apache_cpu_usage=.03456
- apache_cpu_usage=.11234
Whenever I run a simple search like:
sourcetype=access_combined | timechart span=1m sum(apache_cpu_used) by ServerName
I don't get any results in the visualization. Tried changing the Y axis value minimum to be .05 and still nothing. My guess is Splunk doesn't like the 0 missing before the decimal. Since the value will show up when apache uses more than 1% CPU it's correct the way it's being input. What's the best way to get Splunk to evaluate the data with missing leading digits or am I just missing something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Test this
sourcetype=access_combined
| eval apache_cpu_used_numeric=tonumber(apache_cpu_used)
| timechart span=1m sum(apache_cpu_used_numeric) by ServerName
If that doesn't work, it may be that the tonumber function doesn't like the missing 0. Then you can try
sourcetype=access_combined
| eval apache_cpu_used_numeric=tonumber("0" . apache_cpu_used)
| timechart span=1m sum(apache_cpu_used_numeric) by ServerName
If you run these searches in Verbose mode, you should be able to see the fields and events even if the timechart doesn't work. Finally, if this solves your problem, you could create a calculated field that makes the numeric conversion for you automatically.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Test this
sourcetype=access_combined
| eval apache_cpu_used_numeric=tonumber(apache_cpu_used)
| timechart span=1m sum(apache_cpu_used_numeric) by ServerName
If that doesn't work, it may be that the tonumber function doesn't like the missing 0. Then you can try
sourcetype=access_combined
| eval apache_cpu_used_numeric=tonumber("0" . apache_cpu_used)
| timechart span=1m sum(apache_cpu_used_numeric) by ServerName
If you run these searches in Verbose mode, you should be able to see the fields and events even if the timechart doesn't work. Finally, if this solves your problem, you could create a calculated field that makes the numeric conversion for you automatically.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
