Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

NIX add-on for Splunk: How to return a value from a subsearch and populating it in a field for each entry

vader13
New Member
‎08-16-2019 04:24 PM

I'm using the *NIX add-on for Splunk.

We receive "TOP.sh" information into Splunk. Top provides the process information and pctCPU.

I'm trying to run a statistics table search to do the following:

Pull the TOP data for a specific host.
Return the COMMAND (Process Name) and pctCPU.
Sum the pctCPU for all similar process names.
Create a new column with the total pctCPU for every process.
Divide the pctCPU total for each process by the total pctCPU of the box and put that in a separate field (cpuShare).
Return the process names and cpuShare.

I have a piechart that returns the data and creates the slices. But the statistical format of that doesn't have the percentages. Is there a hidden field I can display or do I need to do the division myself? This is going in a dashboard. I have obscured the real host name with $host_name$

Example of pie chart:

index=os host=$host_name$ source="top" COMMAND=* 
| table _time, host, USER, COMMAND, PID, pctCPU 
| chart sum(pctCPU) over COMMAND

Example of statistical table to evaluate the CPU share:

index=os host=$host_name$ source="top" COMMAND=* 
| table COMMAND, pctCPU 
| stats sum(pctCPU) by COMMAND 
| sort - sum(pctCPU) 
| eval bretCPU = 
    [ search index=os host=$host_name$ source="top" COMMAND=* 
    | table pctCPU 
    | stats sum(pctCPU) as totalPctCPU 
    | return totalPctCPU]
0 Karma
Reply

woodcock
Esteemed Legend
‎08-17-2019 05:29 PM

Try this:

| makeresults
| eval raw="COMMAND=processA,pctCPU=103.8
COMMAND=processB,pctCPU=27.1
COMMAND=processC,pctCPU=3103.9:::COMMAND=processA,pctCPU=431.8
COMMAND=processB,pctCPU=89.1
COMMAND=processC,pctCPU=300.9"
| makemv delim=":::" raw
| mvexpand raw
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| kv
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| chart sum(pctCPU) AS pctCPU OVER COMMAND
| eventstats sum(pctCPU) AS pctCPUtotal
| eval pctCPUpct = round((100 * pctCPU / pctCPUtotal), 3)
0 Karma
Reply

woodcock
Esteemed Legend
‎08-17-2019 09:20 AM

You need to rework that 2nd search to be all 1 search.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-17-2019 09:14 AM

When I do a pie chart it automatically calculates the percentages and I can see them in the tooltip when I hover over a pie segment. If you need to see them more obviously and all together, then you can calculate them yourself and add them to the name field like this:

index=_* 
| stats count BY component 
| eventstats sum(count) AS total_count
| eval pct = round((100 * count / total_count), 3)
| eval component = component . "(" . pct . "%)"
| table component count
0 Karma
Reply

vader13
New Member
‎08-17-2019 10:05 AM

That works for pct of count, but that's not what I'm looking for. Let me show the data it might make more sense.

So the TOP.sh script (*NIX Add-on) runs every 1 minute and returns the processes running and the pctCPU. In our server, we have 44 cores, so you will see process grab 20 or 30 cores at times.

Example:
Time Interval #1

COMMAND pctCPU
processA 103.8%

processB 27.1%
processC 3103.9%

Time Interval #2
COMMAND pctCPU
processA 431.8
processB 89.1
processC 300.9

I wrote a chart search to sum by each process, which combines looks like this:

PieChart
processA 535.6

processB 116.2
processC 3404.8

Splunk creates the piechart and that works fine. It also creates the pie slice percentages. I want this in a statistics table.

So, all I need to do is add a new field to piechart results that totals all of the process percentages together and then divided each process by the total in a new column. Then, return the Process and PCT.

COMMAND pctCPU totalCPU totalPCT
processA 535.6 4056.6 13.2
processB 116.2 4056.6 2.8
processC 3404.8 4056.6 83.9

FINAL
COMMAND totalPCT
processA 13.2
processB 2.8
processC 83.9

I just keep getting a logic error with the syntax above. My subsearch works fine by itself. When I put it in the EVAL, it appears to return a boolean value. The search by itself returns a number.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-17-2019 04:00 PM

You need to ditch the subsearch anyway....

0 Karma
Reply

vader13
New Member
‎08-17-2019 09:23 AM

I agree. The pie chart shows it. I want the equivalent data in a table. I'll try your logic and report back.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...