Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

mstats custom query

Harish2
Path Finder
‎02-19-2024 01:12 PM 
|mstats avg(os.mem.utilized) as Memory_Used where index=metricsidx host=host1  OR host=host2 span=1d |table Memory_Used
|foreach avg* [|eval <<FIELD>>=round('<<FIELD>>',2)]

We have a dashboard where we are calculating memory for different hosts.   For example, is the above query.
So, we don't want to repeat this query for all panels.
instead, i want to create a base search with all host like below query. But it's not working.
Can anyone help on this:

Base Search:
|mstats avg(os.mem.utilized) as Memory_Used where index=metricsidx host IN(host1, host2, host3,host4, host5, host6, host7, host8, host9, host10) by host span=1d |foreach avg* [|eval <<FIELD>>=round('<<FIELD>>',2)]

Sub search:
|table Memory_Used
Labels (1)
Labels
0 Karma
Reply

Harish2
Path Finder
‎02-19-2024 02:59 PM

Hi @bowesmana , there was a typo error, now I have provided complete query, please check and provide your inputs.

Dashboard xml without base search:

<form>
<label>Dashboard</label>
<row>
<panel>
<title> Metric by hosts</title>
<table>
<search>
<query> |mstats avg(os.mem.utilized) as Memory_Used where index=metricsidx
 host=host1  OR host=host2 span=1d |table Memory_Used
|foreach Memory* [|eval <<FIELD>>=round('<<FIELD>>',2)]
<earliest>-2d@d</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>

Dashboard xml with base search :(NOT GETTING OUTPUT)

<form>
<label>Dashboard</label>
<search id=mstats>
<query> |mstats avg(os.mem.utilized) as Memory_Used where index=metricsidx
 host=host* by host span=1d 
|foreach Memory* [|eval <<FIELD>>=round('<<FIELD>>',2)]
<earliest>-2d@d</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<title> Metric by hosts</title>
<table>
<search base=mstats>
<query> |search host=host1 OR host=host2 |table Memory_Used </query>
<earliest>-2d@d</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>



 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-19-2024 03:06 PM

Your values for id=... and base=... should be in quotes, not sure how that is not giving you an error - also you do not need earliest or latest for the post processing search and you cannot override the base search.

The simplest way to diagnose why a post process search is not working is to open the panel's search in a new window and see what the search is producing and then remove line by line of SPL from the end of the search until you can see what is going wrong.

Those searches _look_ ok so try the above to figure out what's wrong 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-19-2024 02:27 PM

What is not working - your first query cannot work as you do a 

...
|table Memory_Used
|foreach avg* [|eval <<FIELD>>=round('<<FIELD>>',2)]

There are no fields starting with avg*

This should work for the base search

| mstats avg(os.mem.utilized) as Memory_Used where index=metricsidx host IN(host1, host2, host3,host4, host5, host6, host7, host8, host9, host10) by host span=1d 
| eval MemoryUsed=round(MemoryUsed,2)

but I am puzzled what you need a post processing search for as there is only one field for each host, MemoryUsed. What are you trying to show in different panels?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...