Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

help on a complex timechart

jip31
Motivator
‎02-28-2020 07:01 AM

hi
I use the search below in order to display a timechart which count the number of host which are in a cpu range consumption (0 - 20, 20 -40, 40 - 60)

 `CPU`   earliest=-30d latest=now 
| fields process_cpu_used_percent host 
| eval cpu_range=case(process_cpu_used_percent>0 AND process_cpu_used_percent <=20,"0-20",
    process_cpu_used_percent>20 AND process_cpu_used_percent <=40,"20-40",
    process_cpu_used_percent>40 AND process_cpu_used_percent <=60,"40-60")
| timechart span=1d dc(host) as host by cpu_range

I need to changes :
1) Instead counting the number of process_cpu_used_percent by host in a cpu range, I need to count the number of the process_used_percent average by host in a cpu range
2) Is is possible to take only the evnts which are in a specific slot time? (between 8h and 17h)
thanks a lot for your help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sumanssah
Communicator
‎02-28-2020 08:22 AM

Try something like 

 `CPU`   
 | eval hourmin = strftime(_time, "%H%M")
 | where (hourmin >= 800 AND hourmin <= 1700)
  | timechart span=1h avg(process_cpu_used_percent) as cpu_average by host

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sumanssah
Communicator
‎02-28-2020 08:22 AM

Try something like 

 `CPU`   
 | eval hourmin = strftime(_time, "%H%M")
 | where (hourmin >= 800 AND hourmin <= 1700)
  | timechart span=1h avg(process_cpu_used_percent) as cpu_average by host
0 Karma
Reply
Solved! Jump to solution

13tsavage
Communicator
‎02-28-2020 08:01 AM

Give this a try: 

 `CPU`   earliest=-17h latest=-8h 
 | fields process_cpu_used_percent host 
 | eval cpu_range=case(process_cpu_used_percent>0 AND process_cpu_used_percent <=20,"0-20",
     process_cpu_used_percent>20 AND process_cpu_used_percent <=40,"20-40",
     process_cpu_used_percent>40 AND process_cpu_used_percent <=60,"40-60")
 | timechart span=1h avg(process_cpu_used_percent) as cpu_average by host

Hope this helps!

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-01-2020 10:28 PM

earliest=-17h latest=-8h is not good because if I am doing this i have just the vents for one day instead 7 days like i need....

0 Karma
Reply
Solved! Jump to solution

13tsavage
Communicator
‎02-28-2020 08:03 AM

Side note, you would not need the | fields process_cpu_used_percent host line. The timechart would give you the exact output you want.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...