I'm having trouble with a search and I'm banging my head against the wall. I feel like I'm on the right track but just not there yet.
So, long story short: I'm charting Windows server performance metrics. I'm working on Memory. The events I'm using for this are collected via Perfmon. In this case, I want to chart roughly how much memory a server is using. To do this I can get the "Available Mbytes" perfmon counter and subtract from the server's installed physical RAM. Perfmon can't tell me how much physical RAM the server has, so I used Powershell to create a lookup table that has all of our servers and their configured RAM in them, because this isn't going to change very often. That way I can take configured RAM minus Available Mbytes = Used RAM.
My first search just charts the "Available MBytes" counter, nothing fancy:
host=ServerName001 sourcetype="Perfmon:Memory" counter="Available MBytes" | eval GBs=(Value/1024) | timechart bins=500 avg(GBs) by counter
My lookup table (a CSV) has two columns: Server and RAM. Server has the server name in it, RAM is just the number in GB of RAM. So let's assume ServerName001 has 8GB of RAM. I can get the 8 back from the lookup table a few ways.
| inputlookup InstalledRAMLookup.csv | search Server=ServerName001 | fields RAM
I can also run an eval against the RAM after I grab it out of the lookup table and get the correct result for DivTest, like so:
| inputlookup InstalledRAMLookup.csv where (Server="ServerName001") | eval DivTest=(1/RAM)
What I can't seem to do is combine these searches together in a way that I can get the value of RAM and use it in an eval statement to get a simple piece of data per event: RAM - Available MBytes = Usage
. I think the answer may be in using eval TotalGBs=[ lookup statement here]
but Splunk says you can't put a boolean in an eval function.
Any help on this would be greatly appreciated. Thank you.
You need to use lookup
not inputlookup
. This should add a field called RAM
with values for the matching host
. You can now use this for your calculation (GB/RAM
)
host=ServerName001 sourcetype="Perfmon:Memory" counter="Available MBytes" | lookup InstalledRAMLookup.csv Server AS host OUTPUT RAM | eval GBs=(Value/1024) | ...
My lookup doesn't appear to be working. If I just do a regular | inputlookup InstalledRAMLookup
the entire table returns which is good. If I use host=ServerName001 sourcetype="Perfmon:Memory" counter="Available MBytes" | lookup InstalledRAMLookup Server OUTPUT RAM | table host,RAM,Value
to try and take a look at all the events to make sure RAM is getting populated, I get a NULL value in return. I know I've defined the lookup via the Splunk web interface and set permissions to be open to everyone. I'm not sure what I'm missing here, I will keep looking.