Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search the most recent value for 2 fields and plot them in a pie chart?

sushmitha_mj
Communicator
‎04-15-2015 07:30 AM

I am trying to figure out how to retrieve the most recent value for the free memory and used memory in MB. I want to plot them in a pie chart to get an accurate picture of memory usage, instead of a timechart that gives usage over a period of time. How should I get recent value of the fields?

Search:

index=os sourcetype=vmstat host=$host$ | timechart median(memFreeMB) as Mem_Free, median(memUsedMB) as Mem_Used by host
Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

Gilberto_Castil
Splunk Employee
Splunk Employee
‎04-15-2015 08:23 AM

If you want the latest value only, you need to use a stats command using the first function. It is important to understand that Splunk organizes the data in a reverse-time notation. Assume for example that you have a data set like this:

Wed Apr 15 10:10:01 EDT 2015 myserver memFreeMB=0 memUsedMB=4096
Wed Apr 15 10:20:02 EDT 2015 myserver memFreeMB=1024 memUsedMB=3072
Wed Apr 15 10:30:01 EDT 2015 myserver memFreeMB=2048 memUsedMB=2048
Wed Apr 15 10:40:01 EDT 2015 myserver memFreeMB=3072 memUsedMB=1024

Once you index the data, you end up with a reverse-time ordering where the latest event is shown first. Add the following using the stats command and you get a table.

| stats first(memFreeMB) AS memFreeMB first(memUsedMB) AS memUsedMB

Once you've done that, you need to flip the table so that you have a col, val format. That's the expected format for a pie chart. The easiest way is to use the transpose command.

| transpose

All together you get something like this:

alt text

I hope this helps you.

--
gc

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

Gilberto_Castil
Splunk Employee
Splunk Employee
‎04-15-2015 08:23 AM

If you want the latest value only, you need to use a stats command using the first function. It is important to understand that Splunk organizes the data in a reverse-time notation. Assume for example that you have a data set like this:

Wed Apr 15 10:10:01 EDT 2015 myserver memFreeMB=0 memUsedMB=4096
Wed Apr 15 10:20:02 EDT 2015 myserver memFreeMB=1024 memUsedMB=3072
Wed Apr 15 10:30:01 EDT 2015 myserver memFreeMB=2048 memUsedMB=2048
Wed Apr 15 10:40:01 EDT 2015 myserver memFreeMB=3072 memUsedMB=1024

Once you index the data, you end up with a reverse-time ordering where the latest event is shown first. Add the following using the stats command and you get a table.

| stats first(memFreeMB) AS memFreeMB first(memUsedMB) AS memUsedMB

Once you've done that, you need to flip the table so that you have a col, val format. That's the expected format for a pie chart. The easiest way is to use the transpose command.

| transpose

All together you get something like this:

alt text

I hope this helps you.

--
gc

Preview file
1 KB
Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎04-15-2015 08:46 AM

@Giberto Castillo
Thank you so much for the explanation of the solution as well... It worked perfectly fine...

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-15-2015 07:57 AM

Hi sushmitha_mj ,

to get recent value of a field you can use first() with stats cammand :

for exemple:

index=os sourcetype=vmstat host=$host$ |stats first(memFreeMB) as Mem_Free, first(memUsedMB) as Mem_Used by host

Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎04-15-2015 08:47 AM

@stephane_cyrille
It worked thanks...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...