Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help on a complex timechart
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
02-28-2020
07:01 AM
hi
I use the search below in order to display a timechart which count the number of host which are in a cpu range consumption (0 - 20, 20 -40, 40 - 60)
`CPU` earliest=-30d latest=now
| fields process_cpu_used_percent host
| eval cpu_range=case(process_cpu_used_percent>0 AND process_cpu_used_percent <=20,"0-20",
process_cpu_used_percent>20 AND process_cpu_used_percent <=40,"20-40",
process_cpu_used_percent>40 AND process_cpu_used_percent <=60,"40-60")
| timechart span=1d dc(host) as host by cpu_range
I need to changes :
1) Instead counting the number of process_cpu_used_percent by host in a cpu range, I need to count the number of the process_used_percent average by host in a cpu range
2) Is is possible to take only the evnts which are in a specific slot time? (between 8h and 17h)
thanks a lot for your help
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumanssah
Communicator
02-28-2020
08:22 AM
Try something like
`CPU`
| eval hourmin = strftime(_time, "%H%M")
| where (hourmin >= 800 AND hourmin <= 1700)
| timechart span=1h avg(process_cpu_used_percent) as cpu_average by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumanssah
Communicator
02-28-2020
08:22 AM
Try something like
`CPU`
| eval hourmin = strftime(_time, "%H%M")
| where (hourmin >= 800 AND hourmin <= 1700)
| timechart span=1h avg(process_cpu_used_percent) as cpu_average by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
13tsavage
Communicator
02-28-2020
08:01 AM
Give this a try:
`CPU` earliest=-17h latest=-8h
| fields process_cpu_used_percent host
| eval cpu_range=case(process_cpu_used_percent>0 AND process_cpu_used_percent <=20,"0-20",
process_cpu_used_percent>20 AND process_cpu_used_percent <=40,"20-40",
process_cpu_used_percent>40 AND process_cpu_used_percent <=60,"40-60")
| timechart span=1h avg(process_cpu_used_percent) as cpu_average by host
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-01-2020
10:28 PM
earliest=-17h latest=-8h is not good because if I am doing this i have just the vents for one day instead 7 days like i need....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
13tsavage
Communicator
02-28-2020
08:03 AM
Side note, you would not need the | fields process_cpu_used_percent host line. The timechart would give you the exact output you want.
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
