Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reporting on VM capacity over time

clintla
Contributor
‎11-21-2019 07:19 AM

Date, VM1, VM2, VM3, VM4
5/1/2019 100, 100, n/a, 450
6/1/2019 100, 140, n/a, 450
7/1/2019 105, 200, n/a, n/a
8/1/2019 110, 200, n/a, n/a
9/1/2019 110, 200, n/a, n/a
10/1/2019 110, 200, 100, n/a
11/1/2019 110, 200, 200, n/a

I guess I can do this in different ways but from above but I'm trying to be able to specify 2 times from a time picker & then be able to report on overall capacity growth. I thought charting w/ earliest(VM) & latest(VM) but that does not work.

if VMs exist on both start/end- it works great.

The problem is that if a VM has been decommissioned (per above VM4) or if it was newly created (VM3) then earliest/latest for those 2 are not reported accurately. Above VM3 would report that it grew 100 when it really grew 200 from 5/1 to 11/1. VM4 reports no growth when it should read (-450) because it no longer exists.

Anyone else run into issues like this & have ideas on correctly reporting on this scenario?

0 Karma
Reply

to4kawa
Ultra Champion
‎11-26-2019 04:25 AM 
| makeresults 
 | eval _raw="Date, VM1, VM2, VM3, VM4
5/1/2019, 100, 100, n/a, 450
6/1/2019, 100, 140, n/a, 450
7/1/2019, 105, 200, n/a, n/a
8/1/2019, 110, 200, n/a, n/a
9/1/2019, 110, 200, n/a, n/a
10/1/2019, 110, 200, 100, n/a
11/1/2019, 110, 200, 200, n/a"
| multikv forceheader=1
| table Date VM*
| foreach VM* 
    [eval <<FIELD>> = ltrim(<<FIELD>>," ")]
`comment("this is sample data")`
| eval Date = strptime(Date,"%m/%d/%Y")
| rename Date as _time

Hi, @clintla
Visualisation

How about it?

Preview file
1 KB
0 Karma
Reply

clintla
Contributor
‎11-26-2019 12:04 PM

I think a chart works OK but it needs to be a table so we can look up groups of servers by type/Business unit & be able to calculate GB/% growth as a group.

N/A means the server doesnt exist. I thought about fillnull=0 but I still cant get it to fillnull over an entire non timechart (just a table/chart) so if the server was introduced in October that May through September gets 0s.

I guess the root question is that if you are doing a chart over a period of time, how do you populate capacity where a VM didnt exist with 0's.

If you timechart it, then individual VM's (we have thousands of VMs) becomes very messy. Needs to be a table or chart due to we might be searching 5 VMs or 100VMs & wanting a total growth

0 Karma
Reply

clintla
Contributor
‎11-26-2019 12:22 PM

a better more exacting data set would look like this
Date ,Name,Capacit Used
5/1/2019, VM1,100
5/1/2019, VM2,100
5/1/2019, VM4,450
6/1/2019, VM1,100
6/1/2019, VM2,140
6/1/2019, VM4,450
7/1/2019, VM1,105
7/1/2019, VM2,200
8/1/2019, VM1,110
8/1/2019, VM2,200
9/1/2019, VM1,110
9/1/2019, VM2,200
10/1/2019,VM1,110
10/1/2019,VM2,200
10/1/2019,VM3,100
11/1/2019,VM1,110
11/1/2019,VM2,200
11/1/2019,VM3,200

How can you search it so that if you search for 7/1/2019 through 11/1/2019 that the result would be tabled as

VM1 5GB
VM2 0GB
VM3 200GB

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...