Splunk Search

show top 5 CPU Usage vom VMware Hosts

pduvofmr
Path Finder

Hi Splunkies,

this is my search:
index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*"
| join hypervisor_id [search index="vmware-inv" sourcetype="vmware:inv:hostsystem"]
| timechart avg(cpu_load_percent) by hypervisor_name

my Problem:
This search will list all hosts.
But, i would like to have an evaluation of the top 5 hosts.
The idea was to calculate the sum of average values from one host over a period of time.
Then i compare this result with the other hosts and could sort a top 5 list...

Does anyone have an idea how to modify the search?

0 Karma

Prewin027
Explorer

Hi,

You can use below search.

index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*"
| join hypervisor_id [search index="vmware-inv" sourcetype="vmware:inv:hostsystem"]
| timechart avg(cpu_load_percent) by hypervisor_name

modify the same to

index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*"
| join hypervisor_id [search index="vmware-inv" sourcetype="vmware:inv:hostsystem"]
| timechart usenull=f useother=f avg(cpu_load_percent) by hypervisor_name where avg in top5

0 Karma

pduvofmr
Path Finder

Hi,

works, but it dont sort the host list vom maximum to minimum load.
Can you helm me again?

thx

0 Karma

woodcock
Esteemed Legend

Never use join; try this:

(index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*") OR
(index="vmware-inv" sourcetype="vmware:inv:hostsystem")
| eventstats values(hypervisor_name) AS hypervisor_name BY hypervisor_id
| timechart avg(cpu_load_percent) AS avg_cpu_load_pct BY hypervisor_name
| untable _time hypervisor_name avg_cpu_load_pct
| eventstats sum(avg_cpu_load_pct) AS sum_for_top5 BY hypervisor_name
| sort 0 - sum_for_top5 hypervisor_name
| streamstats current=f last(hypervisor_name) AS next_hypervisor_name
| streamstats count(eval(hypervisor_name!=next_hypervisor_name)) AS count
| where count<5
| timechart limit=0 useother=f avg(avg_cpu_load_pct) AS avg_cpu_load_pct BY hypervisor_name
0 Karma

pduvofmr
Path Finder

Quote: Never use join

Why, please explain - thx

0 Karma

woodcock
Esteemed Legend

Just Google it. This has been widely opined. It does not scale.

0 Karma

pduvofmr
Path Finder

the problem is that the graph shows zero until the evaluation is complete. (10-30 seconds)

With join the graph builds up ...

0 Karma

woodcock
Esteemed Legend

But it will be lacking events and showing incorrect results.

0 Karma

pduvofmr
Path Finder

Hi,

ther is no list of hosts...

0 Karma

woodcock
Esteemed Legend

I assumed that hypervisor_name was your "host" field. Are there multiple hosts per hypervisor or multiple hypervisor per host? Answer that and I will try again.

0 Karma

pduvofmr
Path Finder

host = ESX Server
supervisor = ???

actualy the top5 ESX server where sorted alphabetically, not by load

0 Karma

woodcock
Esteemed Legend

Stupid autocorrect. I should have said "hypervisor", not "supervisor".

0 Karma

pduvofmr
Path Finder

Correction:

there is a host list, was a performance problem, sorry, dev center 😉
Now, how to sort hosts to display from maximum to minimum load?

thx

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...