I'm trying to get CPU statistics for servers that have a variable number of CPUs. Below are some fictitious events in an index:
[timestamp] hostname=hostname1, [some other stuff...], cpu0=0.0155, cpu1=0.0132, [etc...]
[timestamp] hostname=hostname2, [some other stuff...], cpu0=0.0155, cpu1=0.1132, [etc...]
[timestamp] hostname=hostname3, [some other stuff...], cpu0=0.1855, cpu1=0.2132, cpu2=0.8732, cpu3=0.6715 [etc...]
[timestamp] hostname=hostname4, [some other stuff...], cpu0=0.1855, cpu1=0.2132, cpu2=0.8732, cpu3=0.6715, cpu4=0.5632, cpu5=0.3614 [etc...]
Notice that hostname1 has 2 CPUs, hostname3 has 4 CPUs, and hostname4 has 6 CPUs. I would like to get the average for all CPUs in a host by hostname. What would be the best way to accomplish this?
This is a bit clumsy, because it wouldn't handle a change to 8-CPU machines, but I was able to come up with a simple hack:
search ... | eval cpu=cpu0 + ":" + cpu1 + if(isnotnull(cpu2), ":" + cpu2 + ":" + cpu3, "") + if(isnotnull(cpu4), ":" + cpu4 + ":" + cpu5, "") | makemv cpu delim=":"
Now, cpu is a multi-value field, and you can do things like:
stats avg(cpu) AS avg, count(cpu) AS CPUs by _time
The key assumption in the eval above is that CPUs are only ever added in pairs, and that there wouldn't be a machine with an odd number.