Splunk search comparing avg I/O and avg load but n...

Muditks · ‎10-05-2023

This splunk search is not showing any result.

index=os OR index=linux sourcetype=vmstat OR source=iostat
[| input lookup SEI-build_server_lookup.csv where platform=eid_rhel6 AND where NOT (role-code-sonar)
  | fields host | format ]
| rex field=host (?<host>\w+)?\..+"
| timechart avg(avgWaitMillis)
| eval cores=4
| eval loadAvg1mipercore=loadAvg1mi/cores
| stats avg(loadAvg1mipercore) as load by host

Please help to correct my search.

richgalloway · ‎10-05-2023

Correct it to do what? What are you expecting as output?

The stats command is grouping by the host field, which doesn't exist. In that scenario, stats will produce no output. The host field was dropped by the timechart command. Fix that by adding "by host" to the timechart command.

Next, you'll find stats can't compute an average because the field specified, loadAvg1mipercore, is null. The field is null because the eval that created it uses a field, loadAvg1mi, that doesn't exist.

Here's an attempt to "correct" the search. Whether or not it produces the desired and/or right output I don't know.

index=os OR index=linux sourcetype=vmstat OR source=iostat
[| input lookup SEI-build_server_lookup.csv where platform=eid_rhel6 AND where NOT (role-code-sonar)
  | fields host | format ]
| rex field=host (?<host>\w+)?\..+"
| timechart avg(avgWaitMillis) as loadAvg1mi by host
| eval cores=4
| eval loadAvg1mipercore=loadAvg1mi/cores
| stats avg(loadAvg1mipercore) as load by host

---
If this reply helps you, Karma would be appreciated.

Splunk search comparing avg I/O and avg load but not giving results

chart

count

eval

fields

join

lookup

regex

rex

search job inspector

stats

table

timechart

transaction

tstats

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

Splunk search comparing avg I/O and avg load but not giving results