Splunk Search

Simple chart from field values, rather than field count

beaunewcomb
Communicator

sourcetype=syslog "CPU Temp" | sort –CPU_Temp | table host CPU_Temp

CPU_Temp is a field with a numerical value (Temp of the CPU in celsius)

I'd like to create a chart with the resulting data: x-axis = host y-axis = CPU_Temp

So far everything I've tried with the GUI and the chart command isn't working. Does anyone have any ideas?

Bonus if you can make it show the top 100 CPU Temps!

LCM
Contributor
sourcetype=syslog "CPU Temp" | stats avg(CPU_Temp) by host | sort -avg(CPU_temp) | head 100

or, if you want to have more like a timechart (although by 100 hosts, it might be not that nice)

sourcetype=syslog "CPU Temp" | timechart span=10m avg(CPU_Temp) by host

LCM
Contributor

To get one entry per host you can do:

sourcetype=syslog "CPU Temp" | dedup host | table host CPU_Temp

The avg command is not doing something special - only math like: 100dg, 100dg, 1deg = avg67deg. It may look no concise enough, but is fully ok!

You get that empty chart on the first or second command? Have you tried to play around with the time (last 15mins, all time, etc) ?

beaunewcomb
Communicator

Looks like it would work, but I get an empty chart! Also, avg CPU isn't going to be concise enough. Do you know if there's a way to get the LATEST field for each host entry?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...