Splunk Search

"Value" Interesting Field - 2 different types of information

TheJagoff
Communicator

Hello (again),

I have the following search:
index=perfmon host=(serverA OR host=serverB) (object="Processor" OR object="Memory" OR object="Network Interface")

The Interesting Fields that I need to utilize are:
cpu_percent
Value

The problem is that "Value" represents the memory percent and the network use in kb's

My question is - how do I write the search to break the 2 fields out as value for Memory and value for Network Usage?

Many thanks.

Tags (1)
0 Karma
1 Solution

adonio
Ultra Champion

Sorry for the answer above, did not fully understood you.
I think its not ideal to search by "object" as each object has more then one counter and each counter has values that match the counter so you can see for example under object="Processor" you have counters that represents percent (value between 0-100) and other that represents Interrupts/sec for example with values in range of 0-100000. that has large impact on the avg.
regardless, you can just split by whichever field you find valuable and splunk will obey:

index=perfmon host=(serverA OR host=serverB) (object="Processor" OR object="Memory" OR object="Network Interface") | stats avg(Value) by object cpu_percent field3 field4 fieldn

here are 2 screenshots, first is based on split by object, second is split by counter
alt text

alt text

View solution in original post

0 Karma

adonio
Ultra Champion

Sorry for the answer above, did not fully understood you.
I think its not ideal to search by "object" as each object has more then one counter and each counter has values that match the counter so you can see for example under object="Processor" you have counters that represents percent (value between 0-100) and other that represents Interrupts/sec for example with values in range of 0-100000. that has large impact on the avg.
regardless, you can just split by whichever field you find valuable and splunk will obey:

index=perfmon host=(serverA OR host=serverB) (object="Processor" OR object="Memory" OR object="Network Interface") | stats avg(Value) by object cpu_percent field3 field4 fieldn

here are 2 screenshots, first is based on split by object, second is split by counter
alt text

alt text

0 Karma

adonio
Ultra Champion

Hello there,
please check out this answer: https://answers.splunk.com/answers/522554/how-to-edit-my-alert-search-to-convert-available-m.html
the idea is that you can collect the right counter that shows percentage instead of trying to calculate based on 2 events with a common field name
there are other solution approaches within that answer as well

0 Karma

TheJagoff
Communicator

Hello,
I don't think that this is what I am asking for help on.
I want to run this as one search and split out the Value field for Memory and the Value field for Network. No calculations involved.

0 Karma

adonio
Ultra Champion

my bad, for misunderstanding the question.
another answer with screenshot in a second answer

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...