Getting Data In

Renaming fields from Perfmon CSV

skark166
New Member

Splunk v6.6.5

I have my Perfmon CSVs from my Domain Controllers imported into Splunk for a dashboard. When the CSV is ingested by Splunk, it associates the column values to the appropriate CSV headers. The headers all contain the hostname in them. It also replaces all the special characters with underscores. This makes combining them a real trick.

CSV Sample 1:

MyDC01_Processor__Total__ Processor TimeMyDC01_Processor__Total__ Idle Time
1288

CSV Sample 2:

MyDC02_Processor__Total__ Processor TimeMyDC02_Processor__Total__ Idle Time
892

I'm trying to create a dashboard that shows avg, max and min (for example). My search as such is the closest I've gotten. But it just gives me the field names as the field values.

index=perfmon sourcetype=dc_perfmon 
   | fields host, "*_Processor__Total__ *"
   | foreach "*_Processor__Total__ *"
       [ 
           eval "<<MATCHSEG2>>" = mvsort(mvappend("<<MATCHSEG2>>","<<FIELD>>")) 
       ]

which provides me with output like so (Processor Time and Idle time are both MV fields):

host:MyDC01
MyDC01_Processor__Total__ Processor Time12
MyDC01_Processor__Total__ Idle Time88
Processor TimeProcessor Time&lt;br/&gt;MyDC02_Processor__Total__ Processor Time
Idle TimeIdle Time&lt;br/&gt;MyDC02_Processor__Total__ Idle Time

hostMyDC02
MyDC02_Processor__Total__ Processor Time12
MyDC02_Processor__Total__ Idle Time88
Processor TimeProcessor Time&lt;br/&gt;MyDC02_Processor__Total__ Processor Time
Idle TimeIdle Time&lt;br/&gt;MyDC02_Processor__Total__ Idle Time

I've tried several variations. I can do it if I separate all of the foreach statements out per field, but that takes so much memory Splunk usually chunks up and dies (My performance CSVs have about 30 fields after all). It only shows my desired field name and the full name of the last unmodified field. I've asked our internal Splunk experts, but they have no solutions. Any advice would be awesome.

Desired outcome would be something like so:

hostMyDC01
MyDC01_Processor__Total__ Processor Time12
MyDC01_Processor__Total__ Idle Time88
Processor Time12
Idle Time88
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...