Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use timechart and streamstats
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use timechart and streamstats
I have a search that will show me the top 3 processes like this
host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f
I want to add the total line to the top three to combine them into one total CPU line.
I tried this but it did not work host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | streamstats sum(pctCPU) as TOTAL
Any help would be appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YOu need to use foreach command for that OR addtotals
host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | addtotals
or
host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | eval Total=0| foreach * [eval Total=Total+'<<FIELD>>']
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this (NOTE: You should not use sum the way that you were):
host=foo sourcetype=top | timechart span=1m avg(pctCPU) BY COMMAND limit=3 useother=f
| eval _combined = 0
| foreach * [ eval _combined = _combined + <<FIELD>> ]
| eval _combined = _combined/3
| rename _combined AS combined
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think you want line 4 to be in there for "total" cpu time.
Is there any functional advantage to using _combined rather than combined? The code seems to function the same either way. Perhaps a useful personal naming convention for working fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is as nonsensical to have a "sum of percentages" as it is to have a "total average". I am making a guess at what he is really needing to do, given that the metric that he is working with is an "average" of sorts ( pctCPU ). It makes NO SENSE to do sum(pctCPU); that's the point. Therefore, my line 4 is necessary to continue working as averages (sum the 3 and divide by 3). The trick of using _combined vs. combined is so that when you do foreach *, the wildcard will not include the "invisible" ( _* ) fields. Try this:
| makeresults
| eval a=1, b=2, c=3, _d=4, e=5
| eval _clump="clumped:"
| foreach * [eval _clump = _clump . <<FIELD>>]
| rename _clump AS clump
Notice that the value for _d is not included and notice also that clumped only appears once. Notice the "brokenness" of this, which would otherwise require extra gymnastics inside of the foreach:
| makeresults
| eval a=1, b=2, c=3, _d=4, e=5
| eval clump="clumped:"
| foreach * [eval clump = clump . <<FIELD>>]
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
