Monitoring Splunk

How to combine three different source types(CPU,Memory, Network Utilization as perecentage) from same index type and get one report

vickgic
New Member

Hi,

I have a problem here, we have three source types named as "CPUtime", "Memory" , "Localnetwork"
CPUtime source types has fields such as object="Processor" counter="% Processor Time" instance="*"
Memory source types has fields such as object="Memory" counter="Committed Bytes"
Local Network source types has fields such as object="Network Interface" counter="Bytes Received/Sec"

Currently I am trying to combine these three source types and calculate avg as percentage put in one report

I have tried almost everything but nothing seems to be working.. Output should be listed host, CPU, Memory,Network in %. Can you please help me with this one?

Thanks
Vick

0 Karma

sundareshr
Legend

Try this

index=xyz (sourcetype=CPUtime OR sourcetype=Memory OR sourcetype=Localnetwork)  (counter="% Processor Time" OR counter="Committed Bytes" OR counter="Bytes Received/Sec") | chart  avg(Value) as values over host by counter
0 Karma

vickgic
New Member

Hi Sundaresh,

Just adding to the above comment I tried using the command eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') 100, 2) |, it shows the value same as like that of the Available Bytes(1342345466) instead of showing in percentage.

Please advise on this also.

Thanks in advance.

Best Regards,
Vick

0 Karma

vickgic
New Member

Hi Sundaresh,

Thanks for providing the command, it was really helpful.

I used the following syntax and the sample output as shown below

index=xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec") | chart max(Value) as values over host by counter

Output:
host %CPUTime Available Bytes Committed Bytes Bytes Total/Sec
xxxxxxx 3.55555 1003000000000 803000000000 3520600192

basically wat I want to achieve as Memory as in percentage same as CPUtime , I tired using the command syntax eval(Committed Bytes/Available Bytes + Committed Bytes)* 100.

Could you please help on this.

Much appreciate your advise, thanks in advance

Best Regards,
Vick

0 Karma

sundareshr
Legend

Since the field names have a space, you need to put them within quotes. So try this

index=xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec") 
| eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') * 100, 2)
| chart max(Value) as values over host by counter 
| table host "%CPUTime" MemPerc "Bytes Total/Sec"
0 Karma

vickgic
New Member

Thanks for your prompt reply, I tried using the following command syntax

index= xyz (sourcetype="Perfmon:CPUTime" OR sourcetype="Perfmon:Memory" OR sourcetype="Perfmon:LocalNetwork") host="*" (counter="% Processor Time" OR (counter="Available Bytes" OR counter="Committed Bytes") OR counter="Bytes Total/Sec") | eval MemPerc=round(('Committed Bytes'/'Available Bytes' + 'Committed Bytes') * 100, 2) | chart max(Value) as values over host by counter | table host,"%CPUTime", MemPerc,"Bytes Total/Sec"

the output it displays as a table is only the host with names, whereas field such as %CPUTime", MemPerc,"Bytes Total/Sec are blank with no values.

Can you please help on this

Thanks
Vick

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...