About dzhariy

dzhariy · ‎11-15-2014

thank you MuS! Now query works on my sandbox environment and I have tried it on production one. The query speed was increased (according to my naked eye) in 4-5 times. THANK YOU!

dzhariy · ‎11-12-2014

Hi MuS, Thank you. I have executed your original query for splunkd, and looks like it is working. As you warned, the query for perfomon is not working “out of the box” 😉 However, I believe, the general idea of your query is the way to go for me: I just need more time to figure out why it returns zeros. I think this is the answer for my question. Thank you, MuS!

dzhariy · ‎11-09-2014

Thank you MuS, I’ve looked through the timewrap app and is definitely worth to look at. Unfortunately, in my organization, I am a regular splunk user with restricted permissions and connot install apps. I will try to ask my administrators to install the app… Anyway, I still can experiment on my localhost splunk.

dzhariy · ‎11-08-2014

In the query below, for each host, I am searching for its performance data for each value for past 5 minutes. The expected output is the following: Open screenshot I have solved this problem using 4 joins… But that made the source code large and ugly… Is there any way I can optimize the size of the query below? Can a define a custom macro inside the query and call it several times with different parameters instead of copy-pasting the code? index=perfmon host=lena counter="% Processor Time" earliest=-1m | fields host,counter,Value | eval ValueR_1m_Ago = round(Value, 2) | eval HostUpperCase = upper(host) | convert ctime(_time) as Time_1m_Ago | fields HostUpperCase, counter, ValueR_1m_Ago, Time_1m_Ago | join HostUpperCase [search index=perfmon host=lena counter="% Processor Time" earliest=-2m latest=-1m | fields host,counter,Value | eval ValueR_2m_Ago = round(Value, 2) | eval HostUpperCase = upper(host) | convert ctime(_time) as Time_2m_Ago | fields HostUpperCase, ValueR_2m_Ago, Time_2m_Ago ] | join HostUpperCase [search index=perfmon host=lena counter="% Processor Time" earliest=-3m latest=-2m | fields host,counter,Value | eval ValueR_3m_Ago = round(Value, 2) | eval HostUpperCase = upper(host) | convert ctime(_time) as Time_3m_Ago | fields HostUpperCase, ValueR_3m_Ago, Time_3m_Ago ] | join HostUpperCase [search index=perfmon host=lena counter="% Processor Time" earliest=-4m latest=-3m | fields host,counter,Value | eval ValueR_4m_Ago = round(Value, 2) | eval HostUpperCase = upper(host) | convert ctime(_time) as Time_4m_Ago | fields HostUpperCase, ValueR_4m_Ago, Time_4m_Ago ] | join HostUpperCase [search index=perfmon host=lena counter="% Processor Time" earliest=-5m latest=-4m | fields host,counter,Value | eval ValueR_5m_Ago = round(Value, 2) | eval HostUpperCase = upper(host) | convert ctime(_time) as Time_5m_Ago | fields HostUpperCase, ValueR_5m_Ago, Time_5m_Ago ] | DEDUP HostUpperCase | sort -ValueR_1m_Ago | table HostUpperCase ,counter ,ValueR_1m_Ago ,Time_1m_Ago ,ValueR_2m_Ago ,ValueR_3m_Ago ,ValueR_4m_Ago ,ValueR_5m_Ago

Posts	4
Solutions	0
Karma Given	2
Karma Received	2
Member Since	‎08-13-2014

Online Status	Offline
Date Last Visited	‎06-05-2020 02:03 AM

How to create a custom macro / function inside the...

Re: How to create a custom macro / function inside...

Re: How to create a custom macro / function inside...

Re: How to create a custom macro / function inside...

How to create a custom macro / function inside the...