Splunk Search

Cannot find remote data using timechart

huangyingleo
New Member

Here is my test environment, I got two VMs, PC1 and PC2, and PC1 works as a server end and PC2 as a client end. I try to collect vmstat data from PC2. I install Splunk_TA_NIX on both sides.
I can find events like this:
alt text
But when I use timechart, all data just vanish. Take a look.
alt text
I got confused. Can you give me some ideas to solve this? Thanks....

Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

First, flip to the other pages in the table returned by the timechart.

If that doesn't yield data, make sure the field is actually extracted correctly.

View solution in original post

0 Karma

Arun_N_007
Communicator

Try to convert loadAvgIni to number using

..|eval loadAvgIni=tonum(loadAvgIni)|timechart avg(loadAvgIni)

And then do timechart it should work...

Or

You can check loadAvgIni is extracted or not using

index=os host=PC2 sourcetype=vmstat loadAvgIni=*

If it is not returning any data you must extract the field first.

Use multikv to extract values.

index=os host=PC2 sourcetype=vmstat|multikv|timechart avg(loadAvgIni)

Regards,
Arun N

0 Karma

huangyingleo
New Member

Thanks, I think the root cause should be 'loadAvg1mi' is a string field not a number one.

0 Karma

huangyingleo
New Member

Hi, Martin,
Can you take a look at this screenshot?

alt text

0 Karma

chimell
Motivator

Hi
Verify if loadAvgIni field is well extracted .
And try using this search code :

index=os host=PC2 sourcetype=vmstat |timechart avg(loadAvgIni)
0 Karma

huangyingleo
New Member

Hi, Chimell,
I try you method and it doesnt work....
Also I try "index=os sourcetype=vmstat host=PC2 | timechart avg(threads)" and other fields like memTotalMB. Still nothing in the new form returned by timechart.....

0 Karma

huangyingleo
New Member

Thanks, I think the root cause should be 'loadAvg1mi' is a string field not a number one.

0 Karma

huangyingleo
New Member

I checked other pages in the table returned by timechart and found nothing.
As to "make sure the field is acutally extracted correctly", how? I think I can find data by using "index=os sourcetype=vmstat" and can see events followed by searching, which means field is extracted correctly. Am I right?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

First, flip to the other pages in the table returned by the timechart.

If that doesn't yield data, make sure the field is actually extracted correctly.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That says loadAvg1mi is a string value (see the "a"), you can't compute an average of strings.

What's the value of the field?

0 Karma

huangyingleo
New Member

Yes, Martin,
You are right! I love you!

0 Karma

huangyingleo
New Member

Hi, here is the outcome.

Search command: index=os sourcetype=vmstat host=PC2

Selected Fields

a   host    1   
a   source  1   
a   sourcetype  1   

Interesting Fields

a   dest    1   
a   eventtype   1   
a   index   1   
#   linecount   1   
a   loadAvg1mi  1   
a   punct   1   
a   splunk_server   1   
a   src 1   
a   tag 8   
a   tag::eventtype  8   
a   timestamp   1   
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Run index=os sourcetype=vmstat in smart mode and see if the field appears in the left bar.

0 Karma

huangyingleo
New Member

Hi, Martin,
But how to "make sure the field is actually extracted corrently"? I think I can generate events by "index=os sourcetype=vmstat" like picture 1, which means the raw data is collected.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...