Solved: I want to identify the top 10 cpu averages over th...

lycollicott · ‎05-06-2016

So, I use this query:

index=perfmon object=Processor host=* counter="% Processor Time" | stats avg(Value) as 15minavg by host | sort 5 - 15minavg

to produce a dashboard panel like this:

host    15minavg
server08    82.822502
server11    56.993420
server04    56.809193
server19    52.914549
server12    52.114838

Now, I would like to rework that panel to be a horizon visualization of timechart span=1m avg(Value) by host for only those servers.
It's Friday afternoon and I've spent the last 3 hours trying top, where, append, join and I'm no further ahead than when I began.

Any suggestions?

javiergn · ‎05-06-2016

What about using a subsearch like this:

  index=perfmon object=Processor counter="% Processor Time" earliest=-15m [
      | search index=perfmon object=Processor host=* counter="% Processor Time" earliest=-15m 
      | stats avg(Value) as 15minavg by host 
      | sort 5 - 15minavg 
      | table host 
  ] | timechart span=1m avg(Value) by host

View solution in original post

somesoni2 · ‎05-06-2016

Try this

index=perfmon object=Processor host=* counter="% Processor Time" [search index=perfmon object=Processor host=* counter="% Processor Time" | stats avg(Value) as 15minavg by host | sort 5 - 15minavg | table host ] | timechart span=1m avg(Value)  by host

javiergn · ‎05-06-2016

What about using a subsearch like this:

  index=perfmon object=Processor counter="% Processor Time" earliest=-15m [
      | search index=perfmon object=Processor host=* counter="% Processor Time" earliest=-15m 
      | stats avg(Value) as 15minavg by host 
      | sort 5 - 15minavg 
      | table host 
  ] | timechart span=1m avg(Value) by host

I want to identify the top 10 cpu averages over the past 15 minutes and then "timechart span=1m" that average cpu over that same 15 minutes

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life