Hi,
I am trying to create a timechart which data would be based on a subsearch. Here is what I have so far :
index=perf_mon test_nvidia | | timechart bins=100 [search | rex mode=sed field=gpus "s/GPU(\d+)/avg(mem_used\1_GB) as GPU\1,/g" | nomv gpus | rename gpus as search| format "" "" "" "" "" "by host" | rex mode=sed field=search "s/\"//g"]
The first search yields fields named
mem_used0_GB
...
mem_used7_GB
Now, the subsearch
| rex mode=sed field=gpus "s/GPU(\d+)/avg(mem_used\1_GB) as GPU\1,/g" | nomv gpus | rename gpus as search| format "" "" "" "" "" "by host" | rex mode=sed field=search "s/\"//g"
produces a single field called "search", which contains :
avg(mem_used4_GB) as GPU4, avg(mem_used5_GB) as GPU5, by host
However, when I add the subsearch to the timechart command, Splunk gives me the error :
Error in 'timechart' command: The argument ' avg(mem_used5_GB)' is invalid.
What am I doing wrong ?
I have not managed to do it within the timechart command. However, it works if I first do it in a "fields" command, aka :
index=perf_mon test_nvidia | fields [search ... ],_*,host | timechart ...
I have not managed to do it within the timechart command. However, it works if I first do it in a "fields" command, aka :
index=perf_mon test_nvidia | fields [search ... ],_*,host | timechart ...