- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with timechart overlay?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a search that plots CPU and max Attendees over time. It's rather convoluted, and I'm wondering if there's a better way. I'm pretty new to splunk. Any suggestions?
host="freeswitch" sourcetype="cpu" | eval earliest=info_min_time | eval latest=info_max_time | multikv |
append [search host="freeswitch" sourcetype="cdr_xml" |
eval Conf_Start=strftime(startTime,"%H:%M:%S %m/%d/%y") |
eventstats count(callerName) as Attendees by Conf_Start] |
timechart span=5m max(cpu_user_percent) as CPU max(Attendees) as Attendees
thanks,
mike
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
host="freeswitch" sourcetype="cpu"
| eval earliest=info_min_time
| eval latest=info_max_time
| multikv
| timechart span=5m max(cpu_user_percent) as CPU
| appendcols
[ search host="freeswitch" sourcetype="cdr_xml"
| eval Conf_Start=strftime(startTime,"%H:%M:%S %m/%d/%y")
| eventstats count(callerName) as Attendees by Conf_Start
| timechart span=5m max(Attendees) as Attendees]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
host="freeswitch" sourcetype="cpu"
| eval earliest=info_min_time
| eval latest=info_max_time
| multikv
| timechart span=5m max(cpu_user_percent) as CPU
| appendcols
[ search host="freeswitch" sourcetype="cdr_xml"
| eval Conf_Start=strftime(startTime,"%H:%M:%S %m/%d/%y")
| eventstats count(callerName) as Attendees by Conf_Start
| timechart span=5m max(Attendees) as Attendees]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron, is your way quicker, or less processor intensive? it's definitely aesthetically better.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure if it's quicker or more efficient you'd have to run the queries and compare them. I just learned to use appendcols to put two graphs into one.
This has a nice explanation of the differences in the append type commands if that helps: https://answers.splunk.com/answers/144351/what-are-the-differences-between-append-appendpipe.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I saw that, but my data comes from two different source types. i wasn't sure how to get the the data from the second source type without a separate search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think what you really want is appendcols
http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Appendcols
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool. i definitely like it better than the one i was using. thanks.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
