Splunk Search

Search query for permon counter

rsathish47
Contributor

Hi All,

we had configured splunk to get the perfmon counter data from server (every 5mins). The counter value gets reset frequently.

We found that raw data is not coming in the Order (time sorted). And some time the counter value is getting incremented with in second as shown below. we cann't use sort . it limits for 10,000 (as per standard conf). we are receiving more then 10 lak events per day in perfmon

data is comes like below per sec

Date Server counter Value

09_29_2014_00_47_36 WTPCPJLKVS69 Messages Processed 3932     
09_29_2014_00_47_36 WTPCPJLKVS69 Messages Processed 3929     
09_29_2014_00_47_36 WTPCPJLKVS69 Messages Processed 3937

Expected :

We are expecting as below.

Date Server counter Value

09_29_2014_00_47_36 WTPCPJLKVS69 Messages Processed 3937     
09_29_2014_00_47_36 WTPCPJLKVS69 Messages Processed 3932     
09_29_2014_00_47_36 WTPCPJLKVS69 Messages Processed 3929

We are using Stream stats to calculate the total capture message per day.

Query:

index=win_srv_perf (object="XXXXXXXXXXX") counter="XXXXXXXXXX" host="XXXXXXXXXX"| eval Time = strftime(_time,"%m_%d_%Y_%H_%M_%S") | streamstats current=f last(Value) as newValue by host counter | eval msgDiff=(if(newValue>=Value,newValue-Value,newValue)) | table Time DumID host counter Value newValue msgDiff | stats sum(msgDiff) as value by host counter
Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You can use "|sort 0 host, counter, Value" to sort more than 10000 rows.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

You can use "|sort 0 host, counter, Value" to sort more than 10000 rows.

rsathish47
Contributor

Thanks Somesoni2.. It worked

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...