All Apps and Add-ons

Splunk for *nix - Memory By host not showing properly

nirt
Path Finder

Hi,
I'm using Splunk for Unix and Linux and when I go to the Memory by Host, it shows me the information however I do not have it split up by Host when I have 'all hosts' picked.
I'm expecting this to view just like CPU by Host

Any idea?

Thanks

0 Karma
1 Solution

dart
Splunk Employee
Splunk Employee

The default graphs in that dashboard would lead to an 'extra' dimension as they have mulitple series on the same chart.

You could split out each of the functions:

## $SPLUNK_HOME/etc/apps/unix/local/macros.conf
## existing macro in the Dashboard
[Mem_Usage_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free, median(memUsedPct) as Percent_Mem_Used, median(swapUsedPct) as Percent_Swap
## new macros
[Mem_Free_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free by host
[Mem_Used_for_Host(1)]
    args = host
    definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart  median(memUsedPct) as Percent_Mem_Used by host
[Mem_Swap_for_Host(1)]
    args = host
    definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart  median(swapUsedPct) as Percent_Swap by host

And then switch out the view by placing the below into $SPLUNK_HOME/etc/apps/unix/local/data/ui/views/mem_by_host.xml

<form class="formsearch">
  <label>Memory by Host</label>

  <fieldset>
      <input type="dropdown" token="host" searchWhenChanged="true">
          <label>Host:</label>
          <default>localhost</default>
          <populatingSearch fieldForValue="host" fieldForLabel="host">| metadata type=hosts index=os</populatingSearch>
          <choice value="*">all</choice>
       </input>  
    <input type="time" searchWhenChanged="true"/>
  </fieldset>

  <row>
    <html><center><h1>Memory by Host</h1></center></html>
  </row>

  <row>
      <chart>
          <title>Percent Memory Free by Host</title>
          <searchTemplate>`Mem_Free_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Free</option>
      </chart>
      <chart>
          <title>Percent Memory Used by Host</title>
          <searchTemplate>`Mem_Used_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Used</option>
      </chart>
      <chart>
          <title>Percent Memory Swap by Host</title>
          <searchTemplate>`Mem_Swap_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Swap</option>
      </chart>
  </row>
  <row>
      <table>
          <title>Physical Memory by Host</title>
          <searchTemplate>`Memory_Hardware_by_Host($host$)`</searchTemplate>
      </table>
  </row>


</form>

View solution in original post

dart
Splunk Employee
Splunk Employee

The default graphs in that dashboard would lead to an 'extra' dimension as they have mulitple series on the same chart.

You could split out each of the functions:

## $SPLUNK_HOME/etc/apps/unix/local/macros.conf
## existing macro in the Dashboard
[Mem_Usage_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free, median(memUsedPct) as Percent_Mem_Used, median(swapUsedPct) as Percent_Swap
## new macros
[Mem_Free_for_Host(1)]
args = host
definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart median(memFreePct) as Percent_Mem_Free by host
[Mem_Used_for_Host(1)]
    args = host
    definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart  median(memUsedPct) as Percent_Mem_Used by host
[Mem_Swap_for_Host(1)]
    args = host
    definition = index=os sourcetype=vmstat host=$host$ | multikv fields memFreePct, memUsedPct, swapUsedPct | timechart  median(swapUsedPct) as Percent_Swap by host

And then switch out the view by placing the below into $SPLUNK_HOME/etc/apps/unix/local/data/ui/views/mem_by_host.xml

<form class="formsearch">
  <label>Memory by Host</label>

  <fieldset>
      <input type="dropdown" token="host" searchWhenChanged="true">
          <label>Host:</label>
          <default>localhost</default>
          <populatingSearch fieldForValue="host" fieldForLabel="host">| metadata type=hosts index=os</populatingSearch>
          <choice value="*">all</choice>
       </input>  
    <input type="time" searchWhenChanged="true"/>
  </fieldset>

  <row>
    <html><center><h1>Memory by Host</h1></center></html>
  </row>

  <row>
      <chart>
          <title>Percent Memory Free by Host</title>
          <searchTemplate>`Mem_Free_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Free</option>
      </chart>
      <chart>
          <title>Percent Memory Used by Host</title>
          <searchTemplate>`Mem_Used_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Used</option>
      </chart>
      <chart>
          <title>Percent Memory Swap by Host</title>
          <searchTemplate>`Mem_Swap_for_Host($host$)`</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.secondaryAxisTitle.text">% Mem Swap</option>
      </chart>
  </row>
  <row>
      <table>
          <title>Physical Memory by Host</title>
          <searchTemplate>`Memory_Hardware_by_Host($host$)`</searchTemplate>
      </table>
  </row>


</form>

dart
Splunk Employee
Splunk Employee

Thanks! I've edited the answer

0 Karma

alanfinlay
Path Finder

This works great, but one minor typo in the macros:

new macros

[Mem_Free_by_Host(1)]

Should be

new macros

[Mem_Free_for_Host(1)]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...