Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Resource monitoring: Why am i only getting timestamps but no other value?

denipon
Explorer
‎08-10-2023 01:27 AM

Hello friends,

 

I'm fairly new to Splunk, so please bear with me here.

 

I have the output of the sar -u command on a solaris server. in the format:

 

Timestamp %usr %sys %wio %idle %cpu

 

now i was able to create a line graph outputting all five values, but as soon as i take away even one of the categories, i only get timestamps but no other value. how can i specifically search to output only the cpu value as average in either a bar chart or filler gauge?

 

Thanks for reading.

Best,

Denipon 

Labels (5)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-18-2023 01:10 AM

This should work

index="name_of_index" sourcetype="name_of_source" 
| timechart span=<time span like 15m> avg(usr) avg(sys) avg(wio) avg(idle) avg(cpu) by host

 with this you could add/remove those avg(xyz) from time chart. If you don' t add span=15m then time chart use span based on your search time slot.

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2023 01:39 AM

Hi

can you post your sample data and what you have on your query? Please use </> tag when you add those here!

r. Ismo

0 Karma
Reply
Solved! Jump to solution

denipon
Explorer
‎08-16-2023 06:00 PM

Sorry for the absolutely overwhelmingly late response.

 

So the logs are just the standard "sar" command logs from solaris, displaying "usr", "sys", "wio", "idle", "cpu".

in events they show up like this "Average      15      24      0      45      55"

And for the love of all that is good, I can't figure out how to structure my search query, to only display one of these values...

currently my search query which i was able to display all five values with is this:

Average index="name_of_index" sourcetype="name_of_source" | timechart avg(usr) avg(sys) avg(wio) avg(idle) avg(cpu) span=id

 

Any help is much appreciated.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-18-2023 01:10 AM

This should work

index="name_of_index" sourcetype="name_of_source" 
| timechart span=<time span like 15m> avg(usr) avg(sys) avg(wio) avg(idle) avg(cpu) by host

 with this you could add/remove those avg(xyz) from time chart. If you don' t add span=15m then time chart use span based on your search time slot.

Reply
Solved! Jump to solution

denipon
Explorer
‎08-18-2023 01:39 AM

Thanks a lot.

Seems to have done the trick.

 

Hope you have a wonderful weekend ahead of you.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...