Hello,
Am trying to extract UNIX CPU data core wise for multiple hosts, Am using the below query for extract,
source=cpu host="XYZ"
| multikv fields CPU pctIdle
| eval Percent_CPU_Load = 100 - pctIdle
| timechart span=5m eval(round(avg(Percent_CPU_Load),0)) by CPU
| table _time all *
| eval _time=strftime(_time,"%m/%d/%Y %H:%M:%S")
| table _time all *
however this looses the host field after the timechart command and am not able to view name of the host in the table.
"_time",all,0,1,2,3,4,5,6,7
"08/14/2019 14:35:00",3,3,4,4,5,3,2,3,2
"08/14/2019 14:40:00",5,5,7,6,5,5,4,5,4
"08/14/2019 14:45:00",4,4,4,5,5,4,4,3,4
"08/14/2019 14:50:00",2,2,1,2,2,2,5,4,1
I also tried with the bucket and stats command which gives the host field (query as below) but, it changes the format.
index=main host="XYZ" source=cpu
| multikv fields pctIdle host CPU
| eval Percent_CPU_Load = 100 - pctIdle
| table _time host CPU Percent_CPU_Load
| bucket _time span=5m
| stats avg(Percent_CPU_Load) by _time,CPU,host
"_time",CPU,host,"avg(Percent_CPU_Load)"
"2019-08-13T14:00:00.000-0400",0,"XYZ","1.9040000000000006"
"2019-08-13T14:00:00.000-0400",1,"XYZ","2.8860000000000015"
"2019-08-13T14:00:00.000-0400",2,"XYZ","2.1960000000000006"
"2019-08-13T14:00:00.000-0400",3,"XYZ","2.7099999999999995"
"2019-08-13T14:00:00.000-0400",4,"XYZ","2.5839999999999987"
"2019-08-13T14:00:00.000-0400",5,"XYZ","2.595"
"2019-08-13T14:00:00.000-0400",6,"XYZ","2.1990000000000007"
"2019-08-13T14:00:00.000-0400",7,"XYZ","2.093000000000001"
Am also unable to use an eval command and add a host field, Because the query is for an extract and I might need to add multiple hosts.
So please could some one help me with an extract in the below format
_time, Host, all,0,1,2,3,4,5,6,7
Hi Sukisen,
Timechart command doesn’t accept a second argument. So it’s throwing an error.
what happens if inyour first code, you just tinker with the timechart a bit
| timechart span=5m eval(round(avg(Percent_CPU_Load),0)) ,values(host) by CPU
Hi sukisen,
Timechart command is not taking a second argument, so it errors out. Any other ideas pls
hi @johnsasikumar the issue is with the renaming try this. Timechart won;t take more than 1 field AFTER the by clause , but there are no restrictions before the by clause
| timechart span=5m eval(round(avg(Percent_CPU_Load),0)) as cpu_load ,values(host) as host by CPU
Hi @Sukisen1981
I did try and rename, it works when I give one host. But it doesn’t work for multiple hosts.
When I add an additional host it doesn’t work
in your first code having the timechart, what if you also extract the host using multikv?
source=cpu host="XYZ"
| multikv fields CPU pctIdle host
and then apply the timechart with rename?