Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Reporting on VM capacity over time

clintla
Contributor
‎11-21-2019 07:19 AM

Date, VM1, VM2, VM3, VM4
5/1/2019 100, 100, n/a, 450
6/1/2019 100, 140, n/a, 450
7/1/2019 105, 200, n/a, n/a
8/1/2019 110, 200, n/a, n/a
9/1/2019 110, 200, n/a, n/a
10/1/2019 110, 200, 100, n/a
11/1/2019 110, 200, 200, n/a

I guess I can do this in different ways but from above but I'm trying to be able to specify 2 times from a time picker & then be able to report on overall capacity growth. I thought charting w/ earliest(VM) & latest(VM) but that does not work.

if VMs exist on both start/end- it works great.

The problem is that if a VM has been decommissioned (per above VM4) or if it was newly created (VM3) then earliest/latest for those 2 are not reported accurately. Above VM3 would report that it grew 100 when it really grew 200 from 5/1 to 11/1. VM4 reports no growth when it should read (-450) because it no longer exists.

Anyone else run into issues like this & have ideas on correctly reporting on this scenario?

0 Karma
Reply

to4kawa
Ultra Champion
‎11-26-2019 04:25 AM 
| makeresults 
 | eval _raw="Date, VM1, VM2, VM3, VM4
5/1/2019, 100, 100, n/a, 450
6/1/2019, 100, 140, n/a, 450
7/1/2019, 105, 200, n/a, n/a
8/1/2019, 110, 200, n/a, n/a
9/1/2019, 110, 200, n/a, n/a
10/1/2019, 110, 200, 100, n/a
11/1/2019, 110, 200, 200, n/a"
| multikv forceheader=1
| table Date VM*
| foreach VM* 
    [eval <<FIELD>> = ltrim(<<FIELD>>," ")]
`comment("this is sample data")`
| eval Date = strptime(Date,"%m/%d/%Y")
| rename Date as _time

Hi, @clintla
Visualisation

How about it?

Preview file
74 KB
0 Karma
Reply

clintla
Contributor
‎11-26-2019 12:04 PM

I think a chart works OK but it needs to be a table so we can look up groups of servers by type/Business unit & be able to calculate GB/% growth as a group.

N/A means the server doesnt exist. I thought about fillnull=0 but I still cant get it to fillnull over an entire non timechart (just a table/chart) so if the server was introduced in October that May through September gets 0s.

I guess the root question is that if you are doing a chart over a period of time, how do you populate capacity where a VM didnt exist with 0's.

If you timechart it, then individual VM's (we have thousands of VMs) becomes very messy. Needs to be a table or chart due to we might be searching 5 VMs or 100VMs & wanting a total growth

0 Karma
Reply

clintla
Contributor
‎11-26-2019 12:22 PM

a better more exacting data set would look like this
Date ,Name,Capacit Used
5/1/2019, VM1,100
5/1/2019, VM2,100
5/1/2019, VM4,450
6/1/2019, VM1,100
6/1/2019, VM2,140
6/1/2019, VM4,450
7/1/2019, VM1,105
7/1/2019, VM2,200
8/1/2019, VM1,110
8/1/2019, VM2,200
9/1/2019, VM1,110
9/1/2019, VM2,200
10/1/2019,VM1,110
10/1/2019,VM2,200
10/1/2019,VM3,100
11/1/2019,VM1,110
11/1/2019,VM2,200
11/1/2019,VM3,200

How can you search it so that if you search for 7/1/2019 through 11/1/2019 that the result would be tabled as

VM1 5GB
VM2 0GB
VM3 200GB

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...