Solved: serach string combination

Splunk_U · ‎12-26-2012

I want to create a sreach string that will provide the avegCPU util, PeakCPU util, AvgMem util and PeakMem util.
I have created four different search string. How to combine them?

average memory usage
index=os sourcetype=vmstat | multikv fields memUsedPct | stats avg(memUsedPct) by host

peak memory usage
index=os sourcetype=vmstat | multikv fields memUsedPct | stats max(memUsedPct) by host

average CPU usage
index=os sourcetype=cpu | multikv fields pctIdle | search all | eval Percent_CPU_Load = 100 - pctIdle | stats avg(Percent_CPU_Load) as Average by host

Peak CPU usage
index=os sourcetype=cpu | multikv fields pctIdle | search all | eval Percent_CPU_Load = 100 - pctIdle | stats max(Percent_CPU_Load) as Peak by host

HELP me out!!!!

lguinn2 · ‎12-26-2012

This should do it:

index=os sourcetype=vmstat 
| multikv fields memUsedPct  
| stats avg(memUsedPct) max(memUsedPct) by host
| join host [ search index=os sourcetype=cpu 
    | multikv fields pctIdle  
    | search all  
    | eval Percent_CPU_Load = 100 - pctIdle  
    | stats avg(Percent_CPU_Load) as Average max(Percent_CPU_Load) as Peak  by host ]

View solution in original post

lguinn2 · ‎12-26-2012

This should do it:

index=os sourcetype=vmstat 
| multikv fields memUsedPct  
| stats avg(memUsedPct) max(memUsedPct) by host
| join host [ search index=os sourcetype=cpu 
    | multikv fields pctIdle  
    | search all  
    | eval Percent_CPU_Load = 100 - pctIdle  
    | stats avg(Percent_CPU_Load) as Average max(Percent_CPU_Load) as Peak  by host ]

serach string combination

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!