Splunk Search

How to plot SAR info?

kirandvrs
New Member

I have SAR info like this and I am able to get values in table format. But I need the same values plotted in graph. I dont need any max, min, avg,sum details. Just need to plot the values as is.

host cpu idle user system iowait TimeStamp(GMT) TimeStamp(MST)
host1 23 98.70 0.06 0.10 1.13 03/13/2017 01:05:01 AM GMT 03/12/2017 06:05:01 PM MST
host1 22 99.51 0.29 0.17 0.02 03/13/2017 01:05:01 AM GMT 03/12/2017 06:05:01 PM MST
host1 21 99.12 0.22 0.63 0.03 03/13/2017 01:05:01 AM GMT 03/12/2017 06:05:01 PM MST
host1 20 97.20 0.49 2.29 0.02 03/13/2017 01:05:01 AM GMT 03/12/2017 06:05:01 PM MST

Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

That depends on what you want the graph to show. First, use only one of the two timestamps, the other is redundant. In big organizations, I would suggest using GMT, but for local presentation, you could use local time just fine.

Do you want to compare the CPUs on that particualr host, and see how they are doing relative to each other? Then you could make a bar graph. Each CPU on the one host would be a series, and the four categories would each be a bar chart.

Do you want to see how CPU usage varies over time in each category for each CPU? Then you probably want to ignore the "idle" number, and pay attention to the other three. Aside from rounding errors, the four numbers always add up to 100, so the huge "idle" number would just be a distraction to the scale of the graph.


Here's some run-anywhere code to enter your data.

| makeresults 
| eval mydata="host1,23,98.70,0.06,0.10,1.13,03/13/2017 01:05:01 AM GMT!!!!host1,22,99.51,0.29,0.17,0.02,03/13/2017 01:05:01 AM GMT!!!!host1,21,99.12,0.22,0.63,0.03,03/13/2017 01:05:01 AM GMT!!!!host1,20,97.20,0.49,2.29,0.02,03/13/2017 01:05:01 AM GMT!!!!" 
| makemv delim="!!!!" mydata | mvexpand mydata
| makemv delim="," mydata 
| eval host=mvindex(mydata,0),cpu=mvindex(mydata,1),idle=mvindex(mydata,2),user=mvindex(mydata,3),system=mvindex(mydata,4),iowait=mvindex(mydata,5),timestamp=mvindex(mydata,6)
| eval _time = strptime(timestamp,"%m/%d/%Y %l:%M:%S %p %Z")
| table _time host cpu idle user system iowait
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If you want to view the action across time, it's a bit hard to get it all legible in one graph. Here's some run-anywhere code you can play with. Just change the last few lines to try different visualizations.

Most of this code is just for the purposes of generating random data.

| gentimes start="01/25/2017:23:00:00" end="01/25/2017:23:00:30" increment=1s
| eval Time=strftime(starttime,"%m/%d/%Y %l:%M:%S %p %Z")
| eval u20 = 0.35 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/120
| eval u21 = 0.14 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/270
| eval u22 = 0.185 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/350
| eval u23 = 0.035 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/600
| foreach u* [ eval <<FIELD>>=if(<<FIELD>><0,0.01,round(<<FIELD>>,2))]
| eval s20 = 1.5 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/30
| eval s21 = 0.275 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/80
| eval s22 = 0.095 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/350
| eval s23 = 0.05 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/600
| foreach s* [ eval <<FIELD>>=if(<<FIELD>><0,0.01,round(<<FIELD>>,2))]
| eval io20 = 0.005 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/1500
| eval io21 = 0.011 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/2500
| eval io22 = 0.007 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/3000
| eval io23 = 0.035 + (3.3*(random()%19)+2.1*(random()%17)-1.6*(random()%25))/30
| foreach io* [ eval <<FIELD>>=if(<<FIELD>><0,0.01,round(<<FIELD>>,2))]
| eval i20=100-u20-s20-io20
| eval i21=100-u21-s21-io21
| eval i22=100-u22-s22-io22
| eval i23=100-u23-s23-io23
| eval mydata="host1,20,".i20.",".u20.",".s20.",".io20.",".Time."!!!!host1,21,".i21.",".u21.",".s21.",".io21.",".Time."!!!!host1,22,".i22.",".u22.",".s22.",".io22.",".Time."!!!!host1,23,".i23.",".u23.",".s23.",".io23.",".Time 
| table mydata
| makemv delim="!!!!" mydata | mvexpand mydata
| makemv delim="," mydata 
| eval host=mvindex(mydata,0), cpu=mvindex(mydata,1), idle=mvindex(mydata,2), user=mvindex(mydata,3), system=mvindex(mydata,4), iowait=mvindex(mydata,5), timestamp=mvindex(mydata,6)
| eval _time = strptime(timestamp,"%m/%d/%Y %l:%M:%S %p %Z")
| table _time host cpu idle user system iowait

All of that gives you 30 seconds of pretend-data. Here, we slap the host and cpu together, then use xyseries to chart it. I found that the chart was way too busy, so I pulled out "idle" (as I said before, it's redundant) and then killed everything but one cpu.

| eval hostcpu = host."-".cpu
| table _time hostcpu idle user system iowait
| xyseries  _time hostcpu user system iowait
| table _time *host1-20*

If I were presenting it in a dashboard, I would probably have a base search, and then either present the four cpus in panels in line above each other, with the same color representing each type of non-idle usage, or present the three types of non-idle usage in panels in line above each other, with the same color representing each cpu.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...