Splunk Search

mstats custom query

Harish2
Path Finder
|mstats avg(os.mem.utilized) as Memory_Used where index=metricsidx host=host1  OR host=host2 span=1d |table Memory_Used
|foreach avg* [|eval <<FIELD>>=round('<<FIELD>>',2)]

We have a dashboard where we are calculating memory for different hosts.   For example, is the above query.
So, we don't want to repeat this query for all panels.
instead, i want to create a base search with all host like below query. But it's not working.
Can anyone help on this:

Base Search:
|mstats avg(os.mem.utilized) as Memory_Used where index=metricsidx host IN(host1, host2, host3,host4, host5, host6, host7, host8, host9, host10) by host span=1d |foreach avg* [|eval <<FIELD>>=round('<<FIELD>>',2)]

Sub search:
|table Memory_Used
Labels (1)
0 Karma

Harish2
Path Finder

Hi @bowesmana , there was a typo error, now I have provided complete query, please check and provide your inputs.

Dashboard xml without base search:

<form>
<label>Dashboard</label>
<row>
<panel>
<title> Metric by hosts</title>
<table>
<search>
<query> |mstats avg(os.mem.utilized) as Memory_Used where index=metricsidx
 host=host1  OR host=host2 span=1d |table Memory_Used
|foreach Memory* [|eval <<FIELD>>=round('<<FIELD>>',2)]
<earliest>-2d@d</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>

Dashboard xml with base search :(NOT GETTING OUTPUT)

<form>
<label>Dashboard</label>
<search id=mstats>
<query> |mstats avg(os.mem.utilized) as Memory_Used where index=metricsidx
 host=host* by host span=1d 
|foreach Memory* [|eval <<FIELD>>=round('<<FIELD>>',2)]
<earliest>-2d@d</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<title> Metric by hosts</title>
<table>
<search base=mstats>
<query> |search host=host1 OR host=host2 |table Memory_Used </query>
<earliest>-2d@d</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>



 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Your values for id=... and base=... should be in quotes, not sure how that is not giving you an error - also you do not need earliest or latest for the post processing search and you cannot override the base search.

The simplest way to diagnose why a post process search is not working is to open the panel's search in a new window and see what the search is producing and then remove line by line of SPL from the end of the search until you can see what is going wrong.

Those searches _look_ ok so try the above to figure out what's wrong 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

What is not working - your first query cannot work as you do a 

...
|table Memory_Used
|foreach avg* [|eval <<FIELD>>=round('<<FIELD>>',2)]

There are no fields starting with avg*

This should work for the base search

| mstats avg(os.mem.utilized) as Memory_Used where index=metricsidx host IN(host1, host2, host3,host4, host5, host6, host7, host8, host9, host10) by host span=1d 
| eval MemoryUsed=round(MemoryUsed,2)

but I am puzzled what you need a post processing search for as there is only one field for each host, MemoryUsed. What are you trying to show in different panels?

 

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...