This should be a simple query but I seem unable to get the correct results when I try and display over time.
This search works and shows me the correct amount of cores for each cluster (a cluster can be made up of many VM's):
index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
| stats count by vm_name,cluster_name,cpu_cores
| stats sum(cpu_cores) by cluster_name
This would like like:
Cluster Name | Cores
Cluster1 | 100
Cluster2 | 200
Cluster3 | 150
The problem starts when I try and chart this over time, because there are multiple events a day, it seems to take the sum of all of the events so the core are 1000's:
index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
| stats count by vm_name,cluster_name,cpu_cores,_time
| timechart span=1d sum(cpu_cores) by cluster_name
This looks like
_time | Cluster1 | Cluster2 | Cluster3
2018-05-31 | 1200 | 2000 | 1750
2018-05-30 | 800 | 1700 | 1520
2018-05-29 | 1500 | 2100 | 1890
But it should be the same, the sum in the first query, e.g.
_time | Cluster1 | Cluster2 | Cluster3
2018-05-31 | 100 | 200 | 150
2018-05-30 | 100 | 200 | 150
2018-05-29 | 100 | 200 | 150
I am sure this is a simple fix, please let me know what's going wrong here.
Thanks!
Give this a try
index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
| bucket span=1d _time | dedup _time vm_name,cluster_name,cpu_cores,_time
| timechart span=1d sum(cpu_cores) by cluster_name
OR
index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
| bucket span=1d _time
| stats count by vm_name,cluster_name,cpu_cores,_time
| timechart span=1d sum(cpu_cores) by cluster_name
Give this a try
index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
| bucket span=1d _time | dedup _time vm_name,cluster_name,cpu_cores,_time
| timechart span=1d sum(cpu_cores) by cluster_name
OR
index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
| bucket span=1d _time
| stats count by vm_name,cluster_name,cpu_cores,_time
| timechart span=1d sum(cpu_cores) by cluster_name
Yep, the second worked:
index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
| bucket span=1d _time
| stats count by vm_name,cluster_name,cpu_cores,_time
| timechart span=1d sum(cpu_cores) by cluster_name
Ty sir!
Instead of sum(cpu_cores)
, perhaps min(cpu_cores)
would be more accurate.
Unfortunately that won't work, it gives me a value of the minimum value for the cpu_core field, which is ~1 - 12 depending on the type of VM's... what I want to understand is how many total vCPU's are allocated for the cluster. The field cpu_core has a value of the number of vCPU's on each VM, there might be 200 - 1000 VM's per cluster.