Splunk Search

help on eval field which returns any results

jip31
Motivator

alt textlink text

Hi

I have an issue with the field MemoryUsage
I have no results in | eval MemoryUsage = round((TotalMemory-FreeMemory) / TotalMemory*100, 2) due to the field FreeMemory which returns any results
Its strange because the "Value" fields is an positive and integer number and I collect well this field
So what is the issue please

| fields host Value TotalPhysicalMemory 
| eval FreeMemory = round(Value, 0)
| eval TotalMemory = round((TotalPhysicalMemory / 1024 / 1024), 0) 
| eval MemoryUsage = round((TotalMemory-FreeMemory) / TotalMemory*100, 2) 
| stats last(FreeMemory) as "Free Memory", last(TotalMemory) as "Total Memory", values(MemoryUsage) as "Memory Usage" by host 
| eval Free Memory='Free Memory'." MB", Total Memory='Total Memory'." MB", Memory Usage='Memory Usage'." %"


 

Tags (2)
0 Karma
1 Solution

nickhills
Ultra Champion

alt text

As suspected, your events are riddled with null values - you are getting the physical memory and FreeMemory (Value) from different events.

Try this (i have made some assumptions about host and _time) but see how this looks

 | fields _time host Value TotalPhysicalMemory 
 | bin span=5m _time
 | stats latest(Value) as FreeMemory latest(TotalPhysicalMemory) as TotalPhysicalMemory by host,_time
 | eval TotalMemory = round((TotalPhysicalMemory / 1024 / 1024), 0) 
 | eval MemoryUsage = round((TotalMemory-FreeMemory) / TotalMemory*100, 2) 
 | eval Free Memory='Free Memory'." MB", Total Memory='Total Memory'." MB", Memory Usage='Memory Usage'." %"
 |table _time host TotalMemory FreeMemory MemoryUsage
If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

alt text

As suspected, your events are riddled with null values - you are getting the physical memory and FreeMemory (Value) from different events.

Try this (i have made some assumptions about host and _time) but see how this looks

 | fields _time host Value TotalPhysicalMemory 
 | bin span=5m _time
 | stats latest(Value) as FreeMemory latest(TotalPhysicalMemory) as TotalPhysicalMemory by host,_time
 | eval TotalMemory = round((TotalPhysicalMemory / 1024 / 1024), 0) 
 | eval MemoryUsage = round((TotalMemory-FreeMemory) / TotalMemory*100, 2) 
 | eval Free Memory='Free Memory'." MB", Total Memory='Total Memory'." MB", Memory Usage='Memory Usage'." %"
 |table _time host TotalMemory FreeMemory MemoryUsage
If my comment helps, please give it a thumbs up!
0 Karma

jip31
Motivator

Ok but I dont use | table in my search but stats by host
what I dont understand is that when i am doing a stats by host I have a value for all fields except MemoryUsage
So why I cant calculate this field??

0 Karma

nickhills
Ultra Champion

Because you are doing the stats (which merges the events) after the calculations have failed. My above example moves the stats before the calculations.

If my comment helps, please give it a thumbs up!
0 Karma

jip31
Motivator

thanks for your precious support!

0 Karma

to4kawa
Ultra Champion

look between Value 3149 and 2218
there is null field.
why?

0 Karma

nickhills
Ultra Champion

Can you provide an example of what value contains?

If my comment helps, please give it a thumbs up!
0 Karma

jip31
Motivator

I have attached an example of value field

0 Karma

nickhills
Ultra Champion

Silly question - does your physical memory (or the value reported) always exceed the free memory?
This strikes me that it can only be a maths problem.

Your formula is converting TotalPhysicalMemory from bytes -> kilobytes -> megabytes, but there is no conversion for FreeMemory, is that always represented in megabytes?

Can you run:
<your base search>|table Value TotalPhysicalMemory FreeMemory TotalMemory MemoryUsage
So we can see the numbers that are being fed into the calculation.

If my comment helps, please give it a thumbs up!
0 Karma

jip31
Motivator

normally PhysicalMemory (memory installed) always exceed free memory
yes by defaumt free memory is in megabytes
I have executed the search I have results except in MemoryUsage
if I replace FreeMemory by an integer in | eval MemoryUsage = round((TotalMemory-FreeMemory) / TotalMemory*100, 2) it works
so the problem is arround FreeMemory

0 Karma

nickhills
Ultra Champion

Can you just post the output of this:
<your base search>|table Value TotalPhysicalMemory FreeMemory TotalMemory MemoryUsage

There is something wrong with your data, and the results of that output will help highlight what the problem is.

If my comment helps, please give it a thumbs up!
0 Karma

jip31
Motivator

I have attached the output

0 Karma

nickhills
Ultra Champion

Thanks for the output, but that does not help.
Please can you post the output of this:

| fields host Value TotalPhysicalMemory 
| eval FreeMemory = round(Value, 0)
| eval TotalMemory = round((TotalPhysicalMemory / 1024 / 1024), 0) 
| eval MemoryUsage = round((TotalMemory-FreeMemory) / TotalMemory*100, 2) 
|table Value TotalPhysicalMemory FreeMemory TotalMemory MemoryUsage 

My expectation is that there will be some rows with values missing/invalid

If my comment helps, please give it a thumbs up!
0 Karma

jip31
Motivator

hum...
its the same output like yesterday no??
To my mind, i think that Value or TotalPhysicalMemory is not interpreted as a number
What do you think about this? I tried with a tonumber function but always ko!

0 Karma

nickhills
Ultra Champion

no, its different - we dont want the stats commands in the output.

If my comment helps, please give it a thumbs up!
0 Karma

jip31
Motivator

sorry i send it in 2 minutes

0 Karma

jip31
Motivator
0 Karma

FreekMulders
New Member

If the field MemoryUsage is empty, it is probably because the TotalMemory is 0 (due to rounding) and you cannot divide by 0.

0 Karma

jip31
Motivator

no, TotalMemory is never equal to 0........

0 Karma

nickhills
Ultra Champion

or value is empty in the event.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...