Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Resource monitoring: Why am i only getting timestamps but no other value?

denipon
Explorer
‎08-10-2023 01:27 AM

Hello friends,

 

I'm fairly new to Splunk, so please bear with me here.

 

I have the output of the sar -u command on a solaris server. in the format:

 

Timestamp %usr %sys %wio %idle %cpu

 

now i was able to create a line graph outputting all five values, but as soon as i take away even one of the categories, i only get timestamps but no other value. how can i specifically search to output only the cpu value as average in either a bar chart or filler gauge?

 

Thanks for reading.

Best,

Denipon 

Labels (5)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-18-2023 01:10 AM

This should work

index="name_of_index" sourcetype="name_of_source" 
| timechart span=<time span like 15m> avg(usr) avg(sys) avg(wio) avg(idle) avg(cpu) by host

 with this you could add/remove those avg(xyz) from time chart. If you don' t add span=15m then time chart use span based on your search time slot.

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-10-2023 01:39 AM

Hi

can you post your sample data and what you have on your query? Please use </> tag when you add those here!

r. Ismo

0 Karma
Reply
Solved! Jump to solution

denipon
Explorer
‎08-16-2023 06:00 PM

Sorry for the absolutely overwhelmingly late response.

 

So the logs are just the standard "sar" command logs from solaris, displaying "usr", "sys", "wio", "idle", "cpu".

in events they show up like this "Average      15      24      0      45      55"

And for the love of all that is good, I can't figure out how to structure my search query, to only display one of these values...

currently my search query which i was able to display all five values with is this:

Average index="name_of_index" sourcetype="name_of_source" | timechart avg(usr) avg(sys) avg(wio) avg(idle) avg(cpu) span=id

 

Any help is much appreciated.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-18-2023 01:10 AM

This should work

index="name_of_index" sourcetype="name_of_source" 
| timechart span=<time span like 15m> avg(usr) avg(sys) avg(wio) avg(idle) avg(cpu) by host

 with this you could add/remove those avg(xyz) from time chart. If you don' t add span=15m then time chart use span based on your search time slot.

Reply
Solved! Jump to solution

denipon
Explorer
‎08-18-2023 01:39 AM

Thanks a lot.

Seems to have done the trick.

 

Hope you have a wonderful weekend ahead of you.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...