I have a search that will show me the top 3 processes like this
host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f
I want to add the total line to the top three to combine them into one total CPU line.
I tried this but it did not work host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | streamstats sum(pctCPU) as TOTAL
Any help would be appreciated
YOu need to use foreach command for that OR addtotals
host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | addtotals
or
host=foo sourcetype=top | timechart span=1m sum(pctCPU) BY COMMAND limit=3 useother=f | eval Total=0| foreach * [eval Total=Total+'<<FIELD>>']
Like this (NOTE: You should not use sum
the way that you were):
host=foo sourcetype=top | timechart span=1m avg(pctCPU) BY COMMAND limit=3 useother=f
| eval _combined = 0
| foreach * [ eval _combined = _combined + <<FIELD>> ]
| eval _combined = _combined/3
| rename _combined AS combined
I don't think you want line 4 to be in there for "total" cpu time.
Is there any functional advantage to using _combined
rather than combined
? The code seems to function the same either way. Perhaps a useful personal naming convention for working fields?
It is as nonsensical to have a "sum of percentages" as it is to have a "total average". I am making a guess at what he is really needing to do, given that the metric that he is working with is an "average" of sorts ( pctCPU
). It makes NO SENSE to do sum(pctCPU)
; that's the point. Therefore, my line 4 is necessary to continue working as averages (sum the 3 and divide by 3). The trick of using _combined
vs. combined
is so that when you do foreach *
, the wildcard will not include the "invisible" ( _*
) fields. Try this:
| makeresults
| eval a=1, b=2, c=3, _d=4, e=5
| eval _clump="clumped:"
| foreach * [eval _clump = _clump . <<FIELD>>]
| rename _clump AS clump
Notice that the value for _d
is not included and notice also that clumped
only appears once. Notice the "brokenness" of this, which would otherwise require extra gymnastics inside of the foreach
:
| makeresults
| eval a=1, b=2, c=3, _d=4, e=5
| eval clump="clumped:"
| foreach * [eval clump = clump . <<FIELD>>]