Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need help on Queries Combination.

jackin
Path Finder
‎12-19-2021 08:18 PM

Hi,
Search 1: It is used to findout the server health
index=win sourcetype="xmlwineventlog" host=Prod_UI_*
| eval Status=if(EventCode=41 OR EventCode=6006 OR EventCode=6008,"Down","Up")
| dedup host
| table Status

Search 2 : It is used to findout the CPU Usage

| mstats avg(_value) prestats=true WHERE metric_name="Processor.%_Processor_Time" AND
"index"="winperf" AND
host=Prod_UI_* span=60s
| eval Timestamp=strftime(_time ,"%d/%m/%Y %H:%M:%S")
| stats avg(_value) AS CPU BY host Timestamp
| where CPU>=0
| eval Status="Critical",CPU=round(CPU,2),CPU=CPU+"%"
| rename host as Hostname
| table Timestamp Hostname CPU Status
| dedup Hostname
| sort - CPU

Search 3 : It is used to findout the Memory Usage

| mstats avg(_value) prestats=true WHERE metric_name="Memory.%_Committed_Bytes_In_Use" AND
"index"="winperf" AND
host=Prod_UI_* span=60s
| eval Timestamp=strftime(_time ,"%d/%m/%Y %H:%M:%S")
| stats avg(_value) AS Memory BY host Timestamp
| where Memory>=0
| eval Status="Critical",Memory=round(Memory,2),Memory=Memory+"%"
| rename host as Hostname
| table Timestamp Hostname Memory Status
| dedup Hostname
| sort - Memory

finally I need a query to know the server health and CPU and memory usage in single table.
and if CPU used >75% or memory used >75% it should show that the server is Down.


Like

Hostname    Health    CPU    Memory
Google           Down      76%      45%

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-19-2021 11:32 PM

I've never had the opportunity to work with metric indexes but my intuition tells me to try append or multisearch and do stats on the resulting data.

 But there are some other things about your searches.

Firstly - in order to combine your results, you have to correlate them on time, right? So you heed to bin the results from your first search by time.

Secondly, use fieldformat on _time field, not eval for rendering it as string. If you use string timestamp representation, you will sort this field lexicographicaly which is almost never what you want.

Thirdly, "| dedup Hostname" might lose data. It will deduplicate events basing on hostname field ignoring whether other fields differ or not. Are you sure that's what you want?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...