Splunk Search

mstats and eval - How to get free memory in GB instead of bytes?

bloodseaker
Explorer

Hi

I have following query to show a graph of the free memory on the server. This working nicely.

However, the numbers are in bytes, making it hard to understand. When doing this with a regular stats command, I could add eval to calculate this, but with mstats this fails

Working query without conversion

| mstats avg(_value) prestats=t WHERE index=em_metrics AND metric_name="Memory.Available_Bytes" span=30s by metric_name
| timechart avg(_value) as "Avg" span=1m by metric_name

failing query with eval

| mstats avg(_value) prestats=t WHERE index=em_metrics AND metric_name="Memory.Available_Bytes" span=30s by metric_name | eval FreeMem = ((_value/1024)/1024)
| timechart avg(FreeMem) as "Avg" span=1m by metric_name

 

Any ideas how this can be achieved, I can't seem to find an example for mstats for this, only questions with stats

Labels (3)
Tags (2)
0 Karma
1 Solution

bloodseaker
Explorer

Ok

 

After playing around like hell... I got it to work.

| mstats avg(_value) as "Avg" WHERE host=VWININTAPI1D AND metric_name="Memory.Available_Bytes" span=5s
| eval mem_gb = Avg / 1024 / 1024 / 1024
| timechart max("mem_gb") AS "GB Free" span=5m

View solution in original post

0 Karma

Isa_O
New Member

But you only ommit by metric_name why about if we have for example various host...

0 Karma

bloodseaker
Explorer

Ok

 

After playing around like hell... I got it to work.

| mstats avg(_value) as "Avg" WHERE host=VWININTAPI1D AND metric_name="Memory.Available_Bytes" span=5s
| eval mem_gb = Avg / 1024 / 1024 / 1024
| timechart max("mem_gb") AS "GB Free" span=5m
0 Karma

JoshMc
Loves-to-Learn

When I try the accepted solution I get the error:

Cannot filter on 'metric_name' in normalized syntax.

Here's my query:

| mstats avg(value) AS mem_b WHERE index="my-index" AND metric_name="jvm_memory_used" span=1m BY "app.name"
| eval mem_gb = mem_b / 1024 /1024 / 1024
| stats max(mem_gb) BY "app.name"
0 Karma

bloodseaker
Explorer

Hi,

 

Sorry for my late response.

I tried several scenario's, as well the one you suggested. In your first suggestion, using avg(_value) in the eval, it gives the error that avg is not supported in eval

The second suggestion also fails (with the as _value). It doesn't give an error, but the statistics are just empty without data of graph shown. (removing it, shows me the data again, so it must be incorrect).

The third solution is what I am doing now, but it will show in the graph something like 6.5b where b stands for billion and not bytes. Which is confusing, as the graph will say 'free memory in bytes' and one could mistakenly interpret is as 6.5 bytes... 


I don't think this is a nice solution. You're still showing values in bytes and looks weird. I'd just want to convert it to a 1 or 2-decimal GB value and have the graph show 6.5Gb instead (Gigabytes)

Via the Analytics tab is a lot easier to work with the data and get it in the graph, but also that lacks the ability of calculations or rounding 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Wouldn't avg(_value) be in a field called avg(_value) so FreeMem=((avg(_value)/1024)/1024)? Or can you mstat avg(_value) as _value? Alternatively, can you switch on number abbreviations for the y-axis on the chart?

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...