Splunk Search

Tracking how much an item moves vs. a baseline.

Splunk Employee
Splunk Employee

I was asked to look into building a report on how much an item moves vs. a baseline. I was trying to compare CPU Utilization by process over a month, and comparing that to utilization on a given day. After that, I wanted to compare the difference in ranking. How could this be done?

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

I could see where something like this could be modified to be made useful for others, so I thought I would share the search:

index="os" sourcetype="ps" host="*"  earliest=-30d@d
| multikv fields pctCPU, COMMAND
| chart avg(pctCPU) as pctCPUMonthly by COMMAND
| sort limit=10 - COMMAND
| streamstats count as MonthRank
| append [search index="os" sourcetype="ps" host="*"  earliest=-1d@d | multikv fields pctCPU, COMMAND | chart avg(pctCPU) as pctCPUDaily by COMMAND | sort limit=10 - COMMAND | streamstats count as DayRank]
| stats first(MonthRank) as  MonthRank first(DayRank) as DayRank by COMMAND
| eval difference=MonthRank-DayRank
| fields + COMMAND, MonthRank, DayRank, difference

I hope this is useful to someone.

View solution in original post

Splunk Employee
Splunk Employee

I could see where something like this could be modified to be made useful for others, so I thought I would share the search:

index="os" sourcetype="ps" host="*"  earliest=-30d@d
| multikv fields pctCPU, COMMAND
| chart avg(pctCPU) as pctCPUMonthly by COMMAND
| sort limit=10 - COMMAND
| streamstats count as MonthRank
| append [search index="os" sourcetype="ps" host="*"  earliest=-1d@d | multikv fields pctCPU, COMMAND | chart avg(pctCPU) as pctCPUDaily by COMMAND | sort limit=10 - COMMAND | streamstats count as DayRank]
| stats first(MonthRank) as  MonthRank first(DayRank) as DayRank by COMMAND
| eval difference=MonthRank-DayRank
| fields + COMMAND, MonthRank, DayRank, difference

I hope this is useful to someone.

View solution in original post

Splunk Employee
Splunk Employee

I think there's an error here:

"| sort limit=10 - COMMAND"

You're sorting by the NAMES (i.e. "COMMAND") of the commands from Z to A, and then using that order as the MonthRank? I think you want

"| sort limit=10 - pctCPUMonthly"
0 Karma

Splunk Employee
Splunk Employee

Might be useful to talk out how the search does its magic?

0 Karma