Re: What is the best search to display memory usag...

hippe21 · ‎04-27-2017

Hello,
I have some container metrics being logged that are formatted as such:

Used Memory:

ip=1.2.3.4
event_type=ValueMetric
name=/host/info/memory/used_memory
value=12345

Available Memory:

ip=1.2.3.4
event_type=ValueMetric
name=/host/info/memory/max_memory
value=12345

Since I have two different fields by name (/host/info/memory/used_memory & /host/info/memory/max_memory), what is the best way to display used_memory as a percentage by the available memory?

I'd ultimately like to show memory usage over time to build a dashboard. Specifically I'd like to see memory usage by IP, to show spikes in memory usage by IP.

somesoni2 · ‎04-27-2017

Try like this

In case you chart per some field say _time,

your base search 
| eval name=mvindex(split(name,"/"),-1)
| chart max(value) by _time name
| eval used_perc=round(used_memory*100/max_memory,2)

If you just want a single row/value giving you percent,

your base search 
| eval name=mvindex(split(name,"/"),-1)
| eval {name}=value
| stats max(used_memory) as used_memory max(max_memory) as max_memory
| eval used_perc=round(used_memory*100/max_memory,2)

hippe21 · ‎04-28-2017

Thanks for the reply. I'm going to play around with this a bit. I updated my original request. Ideally I'd like to see memory usage % by IP (there would be 5 nodes with different IP's).

What is the best search to display memory usage by host?

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility

Community Content Calendar, August edition

Are you a member of the Splunk Community?

What is the best search to display memory usage by host?

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility

Community Content Calendar, August edition