Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use timechart and streamstats
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use timechart and streamstats
I have a search that will show me the top 3 processes like this
host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f
I want to add the total line to the top three to combine them into one total CPU line.
I tried this but it did not work host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | streamstats sum(pctCPU) as TOTAL
Any help would be appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YOu need to use foreach command for that OR addtotals
host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | addtotals
or
host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | eval Total=0| foreach * [eval Total=Total+'<<FIELD>>']
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this (NOTE: You should not use sum the way that you were):
host=foo sourcetype=top | timechart span=1m avg(pctCPU) BY COMMAND limit=3 useother=f
| eval _combined = 0
| foreach * [ eval _combined = _combined + <<FIELD>> ]
| eval _combined = _combined/3
| rename _combined AS combined
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think you want line 4 to be in there for "total" cpu time.
Is there any functional advantage to using _combined rather than combined? The code seems to function the same either way. Perhaps a useful personal naming convention for working fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is as nonsensical to have a "sum of percentages" as it is to have a "total average". I am making a guess at what he is really needing to do, given that the metric that he is working with is an "average" of sorts ( pctCPU ). It makes NO SENSE to do sum(pctCPU); that's the point. Therefore, my line 4 is necessary to continue working as averages (sum the 3 and divide by 3). The trick of using _combined vs. combined is so that when you do foreach *, the wildcard will not include the "invisible" ( _* ) fields. Try this:
| makeresults
| eval a=1, b=2, c=3, _d=4, e=5
| eval _clump="clumped:"
| foreach * [eval _clump = _clump . <<FIELD>>]
| rename _clump AS clump
Notice that the value for _d is not included and notice also that clumped only appears once. Notice the "brokenness" of this, which would otherwise require extra gymnastics inside of the foreach:
| makeresults
| eval a=1, b=2, c=3, _d=4, e=5
| eval clump="clumped:"
| foreach * [eval clump = clump . <<FIELD>>]
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
