Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use timechart and streamstats

hartfoml
Motivator
‎03-28-2017 07:28 AM

I have a search that will show me the top 3 processes like this

host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f

I want to add the total line to the top three to combine them into one total CPU line.

I tried this but it did not work host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | streamstats sum(pctCPU) as TOTAL

Any help would be appreciated

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎03-28-2017 07:45 AM

YOu need to use foreach command for that OR addtotals 

host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | addtotals

or 

host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | eval Total=0| foreach * [eval Total=Total+'<<FIELD>>']
Reply

woodcock
Esteemed Legend
‎03-28-2017 07:41 AM

Like this (NOTE: You should not use sum the way that you were):

host=foo sourcetype=top | timechart span=1m avg(pctCPU) BY COMMAND limit=3 useother=f
| eval _combined = 0
| foreach * [ eval _combined = _combined + <<FIELD>> ]
| eval _combined = _combined/3
| rename _combined AS combined
0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎03-28-2017 07:59 AM

I don't think you want line 4 to be in there for "total" cpu time.

Is there any functional advantage to using _combined rather than combined? The code seems to function the same either way. Perhaps a useful personal naming convention for working fields?

0 Karma
Reply

woodcock
Esteemed Legend
‎03-28-2017 01:47 PM

It is as nonsensical to have a "sum of percentages" as it is to have a "total average". I am making a guess at what he is really needing to do, given that the metric that he is working with is an "average" of sorts ( pctCPU ). It makes NO SENSE to do sum(pctCPU); that's the point. Therefore, my line 4 is necessary to continue working as averages (sum the 3 and divide by 3). The trick of using _combined vs. combined is so that when you do foreach *, the wildcard will not include the "invisible" ( _* ) fields. Try this:

| makeresults 
| eval a=1, b=2, c=3, _d=4, e=5
| eval _clump="clumped:" 
| foreach * [eval _clump = _clump . <<FIELD>>]
| rename _clump AS clump

Notice that the value for _d is not included and notice also that clumped only appears once. Notice the "brokenness" of this, which would otherwise require extra gymnastics inside of the foreach:

| makeresults 
| eval a=1, b=2, c=3, _d=4, e=5
| eval clump="clumped:" 
| foreach * [eval clump = clump . <<FIELD>>]
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...