×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
dbeyer085
Engager
Member since: ‎06-12-2020
‎06-15-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎06-12-2020
Activity Feed
View All

Re: Query to find percentage of memory used, am ab...

by in All Apps and Add-ons
‎06-12-2020 10:18 AM
‎06-12-2020 10:18 AM
Hey thanks for the info.  Any thoughts on the best way to get the percentage I'm looking for?  I'm still new to this query syntax.  Is there a way to run the query twice with saved values?  Or some other solution that I'm not thinking of?   ... View more

Query to find percentage of memory used, am able t...

by in All Apps and Add-ons
‎06-12-2020 08:33 AM
‎06-12-2020 08:33 AM
All I’m trying to do is show the percentage of used memory (available/total).  I have the query that returns the Available and the Total from one of the dashboards:   index=*index* sourcetype=tss:action host=*host* category=monitoring_wp OR category=monitoring_as measure="memory health status" OR measure=mem OR measure="available bytes" | eval "Mem Health" = case(measure == "memory health status", value) | eval memory = case(measure == "mem", round(value/1024/1024/1024,2)) | eval "Avail Memory" = case(measure == "available bytes",round(value/1024/1024/1024,2)) | bin span=5m _time | timechart avg("Avail Memory") as "Available Memory (Gb)" avg(memory) as "Heap Mem(Gb) Avg" span=5m     This seems pretty straight forward.  I thought all I would need to do is add another ‘eval’ statement to find the fraction for  the percentage of used memory:   index=*index* sourcetype=tss:action host=*host* category=monitoring_wp OR category=monitoring_as measure="memory health status" OR measure=mem OR measure="available bytes" | eval "Mem Health" = case(measure == "memory health status", value) | eval memory = case(measure == "mem", round(value/1024/1024/1024,2)) | eval "Avail Memory" = case(measure == "available bytes",round(value/1024/1024/1024,2)) | eval "Percentage" = 'Avail Memory'/memory  <----- *****Here is what I added ****** | bin span=5m _time | timechart avg("Avail Memory") as "Available Memory (Gb)" avg(memory) as "Heap Mem(Gb) Avg" avg("PercentageUsed") as "Percentage"  span=5m     But that doesn’t work, that field (PercentageUsed) always returns as empty (null) in the results set.  The  ‘eval’ statement and format works correctly if I replace it with only one of the variables:   (| eval "Percentage" = 'Avail Memory')   or if I just replace one of the variables with a number:   (eval "Percentage" = 'Avail Memory'/2)   Any thoughts on what I could do here?  I was thinking the problem might be that the “Avail Memory” and “memory” are coming from different reports, so when one is not null, the other will be null.  Or I just don’t exactly understand how Splunk is generating these results. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-15-2020 09:00 AM
Karma given to
View All