Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to inject multiple host in the Splunk mstats?

microsac
Explorer
‎03-30-2022 12:45 AM

I am looking forward to creating a table for system metrics values like "cpu", "memory" and "swap", now if run the below search it works, but it will get all hosts available while I want my search to be specific to some hosts.
1)

| mstats max(cpu.idle) AS "CPU_IDLE" avg(memory.free) as "MEMORY_FREE" avg(swap.used) as "SWAP_USED" WHERE `sai_metrics_indexes` earliest=-30m@m by host
| eval "cpu_active"=100-cpu_idle 
| fillnull value=0 
| foreach CPU* MEM* SWAP* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]


2)Where if i try like below then i get an error as i am beginner and not getting the right approach to get it .

| mstats max(cpu.idle) AS "CPU_IDLE" avg(memory.free) as "MEMORY_FREE" avg(swap.used) as "SWAP_USED" WHERE `sai_metrics_indexes` earliest=-30m@m by 
("host"="host1.example.com" OR 
"host"="host2.example.com" OR 
"host"="host3.example.com"
)
| eval "cpu_active"=100-cpu_idle 
| fillnull value=0 
| foreach CPU* MEM* SWAP* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]

1) working screen shot 

microsac_0-1648626014925.png

2)  trial but not working 

microsac_1-1648626229017.png

Would appreciate to get any help or direction on this.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2022 01:08 AM 
| mstats max(cpu.idle) AS "CPU_IDLE" avg(memory.free) as "MEMORY_FREE" avg(swap.used) as "SWAP_USED" WHERE `sai_metrics_indexes` earliest=-30m@m by host
| where host="host1.example.com" OR host="host2.example.com" OR host="host3.example.com"
| eval "cpu_active"=100-cpu_idle 
| fillnull value=0 
| foreach CPU* MEM* SWAP* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2022 01:08 AM 
| mstats max(cpu.idle) AS "CPU_IDLE" avg(memory.free) as "MEMORY_FREE" avg(swap.used) as "SWAP_USED" WHERE `sai_metrics_indexes` earliest=-30m@m by host
| where host="host1.example.com" OR host="host2.example.com" OR host="host3.example.com"
| eval "cpu_active"=100-cpu_idle 
| fillnull value=0 
| foreach CPU* MEM* SWAP* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...