Splunk Search

show top 5 CPU Usage vom VMware Hosts

pduvofmr
Path Finder

Hi Splunkies,

this is my search:
index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*"
| join hypervisor_id [search index="vmware-inv" sourcetype="vmware:inv:hostsystem"]
| timechart avg(cpu_load_percent) by hypervisor_name

my Problem:
This search will list all hosts.
But, i would like to have an evaluation of the top 5 hosts.
The idea was to calculate the sum of average values from one host over a period of time.
Then i compare this result with the other hosts and could sort a top 5 list...

Does anyone have an idea how to modify the search?

0 Karma

Prewin027
Explorer

Hi,

You can use below search.

index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*"
| join hypervisor_id [search index="vmware-inv" sourcetype="vmware:inv:hostsystem"]
| timechart avg(cpu_load_percent) by hypervisor_name

modify the same to

index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*"
| join hypervisor_id [search index="vmware-inv" sourcetype="vmware:inv:hostsystem"]
| timechart usenull=f useother=f avg(cpu_load_percent) by hypervisor_name where avg in top5

0 Karma

pduvofmr
Path Finder

Hi,

works, but it dont sort the host list vom maximum to minimum load.
Can you helm me again?

thx

0 Karma

woodcock
Esteemed Legend

Never use join; try this:

(index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*") OR
(index="vmware-inv" sourcetype="vmware:inv:hostsystem")
| eventstats values(hypervisor_name) AS hypervisor_name BY hypervisor_id
| timechart avg(cpu_load_percent) AS avg_cpu_load_pct BY hypervisor_name
| untable _time hypervisor_name avg_cpu_load_pct
| eventstats sum(avg_cpu_load_pct) AS sum_for_top5 BY hypervisor_name
| sort 0 - sum_for_top5 hypervisor_name
| streamstats current=f last(hypervisor_name) AS next_hypervisor_name
| streamstats count(eval(hypervisor_name!=next_hypervisor_name)) AS count
| where count<5
| timechart limit=0 useother=f avg(avg_cpu_load_pct) AS avg_cpu_load_pct BY hypervisor_name
0 Karma

pduvofmr
Path Finder

Quote: Never use join

Why, please explain - thx

0 Karma

woodcock
Esteemed Legend

Just Google it. This has been widely opined. It does not scale.

0 Karma

pduvofmr
Path Finder

the problem is that the graph shows zero until the evaluation is complete. (10-30 seconds)

With join the graph builds up ...

0 Karma

woodcock
Esteemed Legend

But it will be lacking events and showing incorrect results.

0 Karma

pduvofmr
Path Finder

Hi,

ther is no list of hosts...

0 Karma

woodcock
Esteemed Legend

I assumed that hypervisor_name was your "host" field. Are there multiple hosts per hypervisor or multiple hypervisor per host? Answer that and I will try again.

0 Karma

pduvofmr
Path Finder

host = ESX Server
supervisor = ???

actualy the top5 ESX server where sorted alphabetically, not by load

0 Karma

woodcock
Esteemed Legend

Stupid autocorrect. I should have said "hypervisor", not "supervisor".

0 Karma

pduvofmr
Path Finder

Correction:

there is a host list, was a performance problem, sorry, dev center 😉
Now, how to sort hosts to display from maximum to minimum load?

thx

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...