Splunk Search

timechart issiue

Mohsin123
Path Finder

Hi ,

i have 3 fields host , swapfree, memoryfree in my index
i want to display count like this :

timechart span=1h count(swapfree) as swapfree , count(memoryfree) as memoryfree by host

problem is : i am passing swapfree and memory free as token and host also as token
can anyone help me in this :

in my timechart : x-axis: time , y-axis : bytes in swapfree , memoryfree for the host selected

Tags (1)
0 Karma

FrankVl
Ultra Champion

What exactly is and isn't working with your current approach?

Also: if you want to chart the actual bytes, you shouldn't be using count() as the aggregation function in the timechart command. You probably want to use avg(), min() or max() or earliest() or latest() depending on what exactly you want to display.

0 Karma

Mohsin123
Path Finder

used tokens :

index=idix_infra_prod $swap$ $host$ source=Apigssor
| table _time host $swap$
| fields - OR
| timechart span=$span$ count by $swap$

translates to :

index=iod MemoryBuffers MemoryUsedPercent MemoryTotal (host="vgapx5vr") source=Apigor
| table _time host MemoryBuffers MemoryUsedPercent MemoryTotal
| fields - OR
| timechart span=1h count by MemoryBuffers MemoryUsedPercent MemoryTotal

0 Karma

Mohsin123
Path Finder

if i try to do an average , this is the problem, token issue

index=idxrod $swap$ $host$ source=Apicessor
| table _time host $swap$
| fields - OR
| timechart span=$span$ avg($swap$)

index=idrod MemoryBuffers MemoryUsedPercent MemoryTotal (host="vgapx5vr") source=Apor
| table _time host MemoryBuffers MemoryUsedPercent MemoryTotal
| fields - OR
| timechart span=1h avg(MemoryBuffers MemoryUsedPercent MemoryTotal)

0 Karma

FrankVl
Ultra Champion

Sounds like you may need to rethink your token approach a bit, because avg(field1 field2 field3) of course will not work. Not an expert on tokens, but you can perhaps do some pre-processing on that token before passing it to the search, such that you can provide a specific token for the timechart command that actually takes the avg() of each of the fields rather than avg over a string containing multiple fieldnames.

0 Karma

Mohsin123
Path Finder

when i am using one token , its working
but multiple tokens wen i am selecting using multiselct , its not working

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...