Splunk Search

What is the best search to display memory usage by host?

hippe21
Explorer

Hello,
I have some container metrics being logged that are formatted as such:

Used Memory:

ip=1.2.3.4
event_type=ValueMetric
name=/host/info/memory/used_memory
value=12345

Available Memory:

ip=1.2.3.4
event_type=ValueMetric
name=/host/info/memory/max_memory
value=12345

Since I have two different fields by name (/host/info/memory/used_memory & /host/info/memory/max_memory), what is the best way to display used_memory as a percentage by the available memory?

I'd ultimately like to show memory usage over time to build a dashboard. Specifically I'd like to see memory usage by IP, to show spikes in memory usage by IP.

0 Karma

somesoni2
Revered Legend

Try like this

In case you chart per some field say _time,

your base search 
| eval name=mvindex(split(name,"/"),-1)
| chart max(value) by _time name
| eval used_perc=round(used_memory*100/max_memory,2)

If you just want a single row/value giving you percent,

your base search 
| eval name=mvindex(split(name,"/"),-1)
| eval {name}=value
| stats max(used_memory) as used_memory max(max_memory) as max_memory
| eval used_perc=round(used_memory*100/max_memory,2)
0 Karma

hippe21
Explorer

Thanks for the reply. I'm going to play around with this a bit. I updated my original request. Ideally I'd like to see memory usage % by IP (there would be 5 nodes with different IP's).

0 Karma
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...