this is my search:
index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisorid="*"
| join hypervisorid [search index="vmware-inv" sourcetype="vmware:inv:hostsystem"]
| timechart avg(cpuloadpercent) by hypervisor_name
This search will list all hosts.
But, i would like to have an evaluation of the top 5 hosts.
The idea was to calculate the sum of average values from one host over a period of time.
Then i compare this result with the other hosts and could sort a top 5 list...
Does anyone have an idea how to modify the search?
join; try this:
(index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*") OR (index="vmware-inv" sourcetype="vmware:inv:hostsystem") | eventstats values(hypervisor_name) AS hypervisor_name BY hypervisor_id | timechart avg(cpu_load_percent) AS avg_cpu_load_pct BY hypervisor_name | untable _time hypervisor_name avg_cpu_load_pct | eventstats sum(avg_cpu_load_pct) AS sum_for_top5 BY hypervisor_name | sort 0 - sum_for_top5 hypervisor_name | streamstats current=f last(hypervisor_name) AS next_hypervisor_name | streamstats count(eval(hypervisor_name!=next_hypervisor_name)) AS count | where count<5 | timechart limit=0 useother=f avg(avg_cpu_load_pct) AS avg_cpu_load_pct BY hypervisor_name
there is a host list, was a performance problem, sorry, dev center 😉
Now, how to sort hosts to display from maximum to minimum load?
I assumed that
hypervisor_name was your
"host" field. Are there multiple hosts per hypervisor or multiple hypervisor per host? Answer that and I will try again.