Splunk Search

How to perform a division between subresults

rootto
Explorer

Hi all,

I would like to perform the following

each result returned by

source="wmi:cputime" daysago=30 | where PercentProcessorTime>=80 | stats count by host

divided by each result retuned by

source="wmi:cputime" daysago=30 | where PercentProcessorTime>=0 | stats count by host

I need this result in order to get the monthly usage of the resource per host. And idea? Cheers

Nicola

Tags (1)
0 Karma

rootto
Explorer

I found the answer to my own question:

source="wmi:cputime" daysago=30 | stats count(eval(PercentProcessorTime>=80)) as Total_80, count(eval(PercentProcessorTime)) as Total by host| eval percentage=(Total_80/Total)*100

sideview
SplunkTrust
SplunkTrust

Note: a slightly simpler search would be just:

source="wmi:cputime" | stats count count(eval(PercentProcessorTime>=80)) as Total_80 by host| eval percentage=(Total_80/count)*100

0 Karma

jrodman
Splunk Employee
Splunk Employee

It seems like the question here is: for events with a PercentProcessorTime field, what quantity are 80 or more? If wrong, maybe a rephrase of the question might clarify.

Try something like: source="wmi:cputime" daysago=30 PercentProcessorTime=* | eval cpu_business=if(PercentProcessorTime>=80, "busy", "not_so_busy") | stats count by host, cpu_business

0 Karma

rootto
Explorer

Hi jrodman,

thanks for the answer. What I'm looking for is the amount of time the cpu was over 805 in the last months.

So if th first query returns:

Host1 3577
Host2 312

and the second:
Host1 63112
Host2 32125

I would like to write a single query to get:
Host1 5.66%
Host2 0.97%

Probably there is an easier way of getting the result, but at the moment I'm not getting it. any suggestions?
Thanks Nicola

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...