Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk perfmon disk io search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
Looking for some help with a perfmon search.
index=perfmon host=myhost01s* sourcetype="PerfmonMk:LogicalDisk" instance=_total
| timechart sum(Disk_Transfers/sec) span=90s
This gives me all the IO of the hosts, but it only seems accurate if I chart it to 90s span, which is how often it queries. If I change that then the sum obviously just puts all the values together.
What I want to do is show longer periods of time, but still have it counting the sum of each reading (like a bucket) over time and not adding all numbers over the whole period (span) together. I want to force it to always use the time as the bucket. Any help is much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your perfmon input interval is 90 seconds, then Disk_Transfers = 90 * 'Disk_Transfers/sec'. You can displayed corrected Disk_Transfers/sec and Disk_Transfers values for any time span using this:
index=perfmon host=myhost01s* sourcetype="PerfmonMk:LogicalDisk" instance=_total
| timechart fixedrange=f minspan=90s per_second(eval(90 * 'Disk_Transfers/sec')) as Disk_Transfers/sec sum(eval(90 * 'Disk_Transfers/sec')) as Disk_Transfers by hostIf your interval is unknown, you can estimate it from data:
index=perfmon host=myhost01s* sourcetype="PerfmonMk:LogicalDisk" instance=_total
| streamstats current=f last(_time) as last_time by host
| eval interval=_time-last_time
| where NOT isnull(interval)
| timechart fixedrange=f per_second(eval(interval * 'Disk_Transfers/sec')) as Disk_Transfers/sec sum(eval(interval * 'Disk_Transfers/sec')) as Disk_Transfers by hostNote that your tails may not cover an entire span. E.g. If timechart chooses span=1h and your search time range is not snapped to the nearest hour with @h, then your first and last values will be skewed by missing data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your perfmon input interval is 90 seconds, then Disk_Transfers = 90 * 'Disk_Transfers/sec'. You can displayed corrected Disk_Transfers/sec and Disk_Transfers values for any time span using this:
index=perfmon host=myhost01s* sourcetype="PerfmonMk:LogicalDisk" instance=_total
| timechart fixedrange=f minspan=90s per_second(eval(90 * 'Disk_Transfers/sec')) as Disk_Transfers/sec sum(eval(90 * 'Disk_Transfers/sec')) as Disk_Transfers by hostIf your interval is unknown, you can estimate it from data:
index=perfmon host=myhost01s* sourcetype="PerfmonMk:LogicalDisk" instance=_total
| streamstats current=f last(_time) as last_time by host
| eval interval=_time-last_time
| where NOT isnull(interval)
| timechart fixedrange=f per_second(eval(interval * 'Disk_Transfers/sec')) as Disk_Transfers/sec sum(eval(interval * 'Disk_Transfers/sec')) as Disk_Transfers by hostNote that your tails may not cover an entire span. E.g. If timechart chooses span=1h and your search time range is not snapped to the nearest hour with @h, then your first and last values will be skewed by missing data.
.conf25 Community Recap
Splunk App Developers | .conf25 Recap & What’s Next
Congratulations to the 2025-2026 SplunkTrust!
