Hi there.
I'm fairly new to Splunk, so apologize if this is an easy one. I have setup Splunk's App for Unix..its collecting all the info very well from about 10 servers. My question is about the Reports that it provides. In the search app, if I go to reports I see lots of great reports created by the Splunk App for Unix. There is one that shows load average. I want to modify that so I can only show just certain groups of hosts. If I edit, instead of the search language, I just see a function in the search bar called Percent_Load_by_Host(*)
I'd like to be able to do something like 'Percent_Load_by_Host(server1,server3,etc) but if I enter more than one field it complains. So my question is, how can I modify this report and be able to use it for more than just showing the load average for everything? Thank you very much, still learning this.
It is a macro and its definitions is like this (macros.conf)
[Percent_Load_by_Host(1)]
args = host
definition = `os_index` `memory_sourcetype` host=$host$ | timechart avg(loadAvg1mi) by host
Change the defintion to something like this
[Percent_Load_by_Host(1)]
args = host
definition = `os_index` `memory_sourcetype` [|gentimes start=-1 | eval host="\"".$host$."\"" | table host | makemv host delim="," | mvexpand host ] | timechart avg(loadAvg1mi) by host
Now you can pass "*"
or comma separated list of host (host1,host2,host3).
Hi, I found the macros.conf file for this and commented out the original macro and replaced with what you gave. I get this error when I try and run the report now, I am pretty new to this so honestly dont know which part would be causing...
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*."\""'.
If its an easy one I would appreciate it 🙂 Thank you for the help!