Splunk Search

UNIX CPU data extraction for multiple hosts

johnsasikumar
Path Finder

Hello,
Am trying to extract UNIX CPU data core wise for multiple hosts, Am using the below query for extract,

source=cpu host="XYZ"
| multikv fields CPU pctIdle
| eval Percent_CPU_Load = 100 - pctIdle
| timechart span=5m eval(round(avg(Percent_CPU_Load),0)) by CPU
| table _time all *
| eval _time=strftime(_time,"%m/%d/%Y %H:%M:%S")
| table _time all *

however this looses the host field after the timechart command and am not able to view name of the host in the table.

"_time",all,0,1,2,3,4,5,6,7
"08/14/2019 14:35:00",3,3,4,4,5,3,2,3,2
"08/14/2019 14:40:00",5,5,7,6,5,5,4,5,4
"08/14/2019 14:45:00",4,4,4,5,5,4,4,3,4
"08/14/2019 14:50:00",2,2,1,2,2,2,5,4,1

I also tried with the bucket and stats command which gives the host field (query as below) but, it changes the format.

index=main host="XYZ" source=cpu
| multikv fields pctIdle host CPU
| eval Percent_CPU_Load = 100 - pctIdle
| table _time host CPU Percent_CPU_Load
| bucket _time span=5m
| stats avg(Percent_CPU_Load) by _time,CPU,host

"_time",CPU,host,"avg(Percent_CPU_Load)"
"2019-08-13T14:00:00.000-0400",0,"XYZ","1.9040000000000006"
"2019-08-13T14:00:00.000-0400",1,"XYZ","2.8860000000000015"
"2019-08-13T14:00:00.000-0400",2,"XYZ","2.1960000000000006"
"2019-08-13T14:00:00.000-0400",3,"XYZ","2.7099999999999995"
"2019-08-13T14:00:00.000-0400",4,"XYZ","2.5839999999999987"
"2019-08-13T14:00:00.000-0400",5,"XYZ","2.595"
"2019-08-13T14:00:00.000-0400",6,"XYZ","2.1990000000000007"
"2019-08-13T14:00:00.000-0400",7,"XYZ","2.093000000000001"

Am also unable to use an eval command and add a host field, Because the query is for an extract and I might need to add multiple hosts.
So please could some one help me with an extract in the below format

_time, Host, all,0,1,2,3,4,5,6,7

Tags (1)
0 Karma

johnsasikumar
Path Finder

Hi Sukisen,
Timechart command doesn’t accept a second argument. So it’s throwing an error.

0 Karma

Sukisen1981
Champion

what happens if inyour first code, you just tinker with the timechart a bit

| timechart span=5m eval(round(avg(Percent_CPU_Load),0)) ,values(host) by CPU
0 Karma

johnsasikumar
Path Finder

Hi sukisen,
Timechart command is not taking a second argument, so it errors out. Any other ideas pls

0 Karma

Sukisen1981
Champion

hi @johnsasikumar the issue is with the renaming try this. Timechart won;t take more than 1 field AFTER the by clause , but there are no restrictions before the by clause

| timechart span=5m eval(round(avg(Percent_CPU_Load),0)) as cpu_load ,values(host) as host by CPU
0 Karma

johnsasikumar
Path Finder

Hi @Sukisen1981
I did try and rename, it works when I give one host. But it doesn’t work for multiple hosts.
When I add an additional host it doesn’t work

0 Karma

Sukisen1981
Champion

in your first code having the timechart, what if you also extract the host using multikv?
source=cpu host="XYZ"
| multikv fields CPU pctIdle host

and then apply the timechart with rename?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...