Splunk Search

How to plot max system load against the actual load?

Path Finder

I have the following simple query:

index=os sourcetype=vmstat tag=dcv-na | eval MaxLoad = 28  | timechart  max(loadAvg1mi) as LoadAvg,max(MaxLoad) as MaxLoad by host

This works well enough but when multiple hosts are involved its gets busy due to the fact that eval is a plot for each host. I'd like just one line across the chart showing the max value for all hosts. Similar to how the licensing reports work.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Then lets create the maxLoad line after your time chart like this

index=os sourcetype=vmstat tag=dcv-na  | timechart max(loadAvg1mi) as LoadAvg by host| eval MaxLoad = 28

View solution in original post

0 Karma

Path Finder

Some more details are probably in order. In the 30 day license report there is a dotted line for "Stack Size" I would like the max value plot to stand out more.

0 Karma

Path Finder

Thanks. Is there a way to label that line on the chart as MaxLoad. I'd like to point on on the chart that this is the maximum.

0 Karma

SplunkTrust
SplunkTrust

Then lets create the maxLoad line after your time chart like this

index=os sourcetype=vmstat tag=dcv-na  | timechart max(loadAvg1mi) as LoadAvg by host| eval MaxLoad = 28

View solution in original post

0 Karma