Splunk Search

How to calculate the number of CPU cores for cluster, over time?

johnansett
Communicator

This should be a simple query but I seem unable to get the correct results when I try and display over time.

This search works and shows me the correct amount of cores for each cluster (a cluster can be made up of many VM's):

index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
| stats count by vm_name,cluster_name,cpu_cores
| stats sum(cpu_cores) by cluster_name

This would like like:

Cluster Name | Cores
Cluster1 | 100
Cluster2 | 200
Cluster3 | 150

The problem starts when I try and chart this over time, because there are multiple events a day, it seems to take the sum of all of the events so the core are 1000's:

index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
| stats count by vm_name,cluster_name,cpu_cores,_time
| timechart span=1d sum(cpu_cores) by cluster_name

This looks like

_time | Cluster1 | Cluster2 | Cluster3
2018-05-31 | 1200 | 2000 | 1750
2018-05-30 | 800 | 1700 | 1520
2018-05-29 | 1500 | 2100 | 1890

But it should be the same, the sum in the first query, e.g.

_time | Cluster1 | Cluster2 | Cluster3
2018-05-31 | 100 | 200 | 150
2018-05-30 | 100 | 200 | 150
2018-05-29 | 100 | 200 | 150

I am sure this is a simple fix, please let me know what's going wrong here.

Thanks!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
| bucket span=1d _time | dedup _time vm_name,cluster_name,cpu_cores,_time
 | timechart span=1d sum(cpu_cores) by cluster_name

OR

index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
 | bucket span=1d _time
 | stats count by vm_name,cluster_name,cpu_cores,_time
 | timechart span=1d sum(cpu_cores) by cluster_name

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
| bucket span=1d _time | dedup _time vm_name,cluster_name,cpu_cores,_time
 | timechart span=1d sum(cpu_cores) by cluster_name

OR

index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
 | bucket span=1d _time
 | stats count by vm_name,cluster_name,cpu_cores,_time
 | timechart span=1d sum(cpu_cores) by cluster_name
0 Karma

johnansett
Communicator

Yep, the second worked:

index="vmware-inv" sourcetype="vmware:inv:vm" eventtype=vmware_inventory power_state=poweredOn
  | bucket span=1d _time
  | stats count by vm_name,cluster_name,cpu_cores,_time
  | timechart span=1d sum(cpu_cores) by cluster_name

Ty sir!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Instead of sum(cpu_cores), perhaps min(cpu_cores) would be more accurate.

---
If this reply helps you, Karma would be appreciated.
0 Karma

johnansett
Communicator

Unfortunately that won't work, it gives me a value of the minimum value for the cpu_core field, which is ~1 - 12 depending on the type of VM's... what I want to understand is how many total vCPU's are allocated for the cluster. The field cpu_core has a value of the number of vCPU's on each VM, there might be 200 - 1000 VM's per cluster.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...