I have the following query that is inteded to divide the "stats.hypervisor_cpu_ppm" field by 10000 and then show that value in a table.
index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* | eval usage=stats.hypervisor_cpu_usage_ppm / 10000 | table host, stats.hypervisor_cpu_usage_ppm, usage | dedup host
When I run the query, It gives me a table with the host, the values for stats.hypervisor_spu_ppm, and then an empty column for usage. Why is the usage column empty?
Hey!
I bumped into this thread and noticed this was not solved.
If you noticed the fields are presented as string (a not,#) and the tonumber fails due to multiple values in the string.
Here's the how I found out the solution:
/opt/splunk/etc/system/local/props.conf
[nutanix_arch]
KV_MODE = none
AUTO_KV_JSON = false
INDEXED_EXTRACTIONS = JSON
https://answers.splunk.com/answers/610585/json-format-duplicate-value-in-field.html
Now the field is an interger and you can eval it with the following command:
|eval usage='stats.hypervisor_cpu_usage_ppm' / 10000
Hope this helps! 🙂
I am running into a similar issue and have discovered that splunk is extracting the field that I'm dividing incorrectly. I have a field that's something like size=123 in my events, but splunk for some reason grabs user agent string from the events and assigns that to size. So make sure your stats.hypervisor_cpu_usage_ppm field has actual numerical values that you expect. I'm still working on fixing my problem, will update here if fixing field extraction fixed the division problem.
Can you try the below
index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage=tonumber(stats.hypervisor_cpu_usage_ppm) / 10000
| table host, 'stats.hypervisor_cpu_usage_ppm', usage
Thanks
No luck, the usage
column is still empty. also putting the quotes around stats.hypervisor_cpu_usage_ppm like this : | table host, 'stats.hypervisor_cpu_usage_ppm
causes that column to be empty as well.
Please try this and can let us know whether stats.hypervisor_cpu_usage_ppm has field values populated
index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* |dedup host |table stats.hypervisor_cpu_usage_ppm |eval number = 1000 |eval divide = stats.hypervisor_cpu_usage_ppm/number
This only returns two columns. The "stats.hypervisor_cpu_usage_ppm" column has its values and then htere is a "divide" column that just has the value 10000. I used you suggestion and tried the following, but it left me with the same problem that I have been having - the "usage" column is empty.
index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* |dedup host |eval number = 1000 |eval usage = stats.hypervisor_cpu_usage_ppm/number | table host, stats.hypervisor_cpu_usage_ppm, usage
Can you post some sample entries that you see for field stats.hypervisor_cpu_usage_ppm
, before division?
Here is an example of entries for that field:
stats.hypervisor_cpu_usage_ppm
286690
286690
745400
745400
Shot in the dark, try this
index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* | eval usage=replace('stats.hypervisor_cpu_usage_ppm',"\s+","")/10000 | table host, stats.hypervisor_cpu_usage_ppm, usage | dedup host
Is that the value of a single field? Is it a multivalue field?
Try this:
index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage=$stats.hypervisor_cpu_usage_ppm$ / 10000
| table host, $stats.hypervisor_cpu_usage_ppm$, usage
Or this:
index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage='stats.hypervisor_cpu_usage_ppm' / 10000
| table host, 'stats.hypervisor_cpu_usage_ppm', usage
Niether of these worked. In fact, they both resulted in the stats.hypervisor_cpu_usage_ppm
column being empty as well as the usage
column
I believe you need to replace this:
| eval usage=stats.hypervisor_cpu_usage_ppm / 10000
with this:
| eval usage='stats.hypervisor_cpu_usage_ppm' / 10000
Splunk has some quirks about when field names must be wrapped with quotes in order to reference them, and field names with non-alphanumeric characters often trigger those.
I have tried this, but I get the same empty column. I tried double quotes as well, but that returned an error becuase Splunk read it as a string being divided by a number.
Try this:
index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host | rename stats.hypervisor_cpu_usage_ppm as USAGEPPM
| eval usage=USAGEPPM/ 10000
| table host,USAGEPPM, usage
basically i have renamed the field stats.hypervisor_cpu_usage_ppm as USAGEPPM
This does not work either... I don't know why this is happening, it doesn't make much sense.