Hi all,
I'm having difficulty trying to create a total_cpu field. If I map a single variable to it, this works fine and creates the field, but if I try to add them together, no field is returned.
Current query below:
sourcetype="Perfmon:Processor" host="CFDFXNFR-APP22" instance=_Total AND (counter="% User Time" OR counter="% Privileged Time" OR counter="% Interrupt Time") |
eval user=if(counter="% User Time", Value, null()) |
eval system=if(counter="% Privileged Time", Value, null()) |
eval interrupt=if(counter="% Interrupt Time", Value, null()) |
eval total_cpu=user+system+interrupt |
timechart per_second(user) as user, per_second(system) as system, per_second(idle) as idle, per_second(interrupt) as interrupt, per_second(total_cpu) as total_cpu by host limit=100 span=1s
Does anyone have any insight into what may be going wrong here?
Many thanks in advance!!
There will be one row per counter, out of 3 rows per run of Perfmon, field user will be null for rows with count != "% User Time". Same is the case with other two fields. Try something like this
sourcetype="Perfmon:Processor" host="CFDFXNFR-APP22" instance=_Total AND (counter="% User Time" OR counter="% Privileged Time" OR counter="% Interrupt Time")| eval user=if(counter="% User Time", Value, null()) | eval system=if(counter="% Privileged Time", Value, null()) | eval interrupt=if(counter="% Interrupt Time", Value, null()| stats values(user) as user, values(system) as system values(interrupt) as interrupt by _time,host | eval total_cpu=user+system+interrupt | timechart per_second(user) as user, per_second(system) as system, per_second(interrupt) as interrupt, per_second(total_cpu) as total_cpu by host limit=100 span=1s
There will be one row per counter, out of 3 rows per run of Perfmon, field user will be null for rows with count != "% User Time". Same is the case with other two fields. Try something like this
sourcetype="Perfmon:Processor" host="CFDFXNFR-APP22" instance=_Total AND (counter="% User Time" OR counter="% Privileged Time" OR counter="% Interrupt Time")| eval user=if(counter="% User Time", Value, null()) | eval system=if(counter="% Privileged Time", Value, null()) | eval interrupt=if(counter="% Interrupt Time", Value, null()| stats values(user) as user, values(system) as system values(interrupt) as interrupt by _time,host | eval total_cpu=user+system+interrupt | timechart per_second(user) as user, per_second(system) as system, per_second(interrupt) as interrupt, per_second(total_cpu) as total_cpu by host limit=100 span=1s
Awesome, that's fixed it!!! Many many thanks!
Had to put an if(isnull(interrupt),0,interrupt) in to get it working properly, but this was spot-on.