Splunk Search

Any other way to simplify this search?

theouhuios
Motivator

Hello

I am trying to find out a way if there is any way to use just one search to get the data for all. Can we a postprocess inside a search itself ? 🙂

 sourcetype="Perfmon:CPU Usage" earliest=-5m@m latest=@m  serverType="xxx" counter="% Processor Time" | stats avg(Value) as ProcV by host
| append [search sourcetype="Perfmon:PhysicalDisk" earliest=-5m@m latest=@m  serverType="xxx" counter="% Disk*" | stats avg(Value) as DiskV by host ] 
| append [search sourcetype="Perfmon:Processor" earliest=-5m@m latest=@m  serverType="xxx" counter="Processor Queue Length" | stats avg(Value) as ProcQueue  by host] 
| append [search sourcetype="Perfmon:PhysicalDisk" earliest=-5m@m latest=@m  serverType="xxx" counter="Current Disk Queue Length" | stats avg(Value) as DiskQueue by host] 
| append [search sourcetype="Perfmon:Network" earliest=-5m@m latest=@m  serverType="xxx" counter="Bytes Total/sec" | stats avg(Value) as ByteT by host] 
| append [search sourcetype="Perfmon:Web Service"  earliest=-5m@m latest=@m  serverType="xxx" counter="Current Connections" | stats avg(Value) as Curcon by host] 
| append [search sourcetype="Perfmon:Active Server Pages" earliest=-5m@m latest=@m  serverType="B2C*" counter="Request Wait Time" | stats avg(Value) as RWT by host] 
| append [search sourcetype="Perfmon:Active Server Pages" earliest=-5m@m latest=@m  serverType="xxx" collection="Active Server Pages" counter="Requests/sec" | stats avg(Value) as ASP by host] 
| append [search sourcetype="Perfmon:ASP.NET Apps v2" earliest=-5m@m latest=@m  serverType="xxx" collection="ASP.NET Apps v2" counter="Requests/sec" | stats avg(Value) as ASPv2 by host] 
| append [search sourcetype="Perfmon:ASP.NET Apps v4" earliest=-5m@m latest=@m serverType="xxx" collection="ASP.NET Apps v4" counter="Requests/sec" | stats avg(Value) as ASPv4 by host]

Any help?

Tags (1)

cramasta
Builder

have you tried using OVER in the chart command?

I didn't rewrite your entire search command but you should get the idea from what i did with just the first append.

Part of the Original

sourcetype="Perfmon:CPU Usage" earliest=-5m@m latest=@m serverType="xxx" counter="% Processor Time" | stats avg(Value) as ProcV by host
| append [search sourcetype="Perfmon:PhysicalDisk" earliest=-5m@m latest=@m serverType="xxx" counter="% Disk*" | stats avg(Value) as DiskV by host ]

Using Chart w/ Over (also concatenated some field names together with a eval for clarity of the metric)

(sourcetype="Perfmon:CPU Usage" counter="% Processor Time" serverType="xxx") OR (sourcetype="Perfmon:PhysicalDisk" counter="% Disk*" serverType="xxx") earliest=-5m@m latest=@m | eval theMetric=sourcetype."-".collection."-".counter | chart avg(Value) over host by theMetric

jonuwz
Influencer

this. mod parent up

0 Karma

sideview
SplunkTrust
SplunkTrust

Well, I'm going to take some liberties with this,and assume you'd like to do the same report but without all the complexity of the subsearches and appends. This search can be rewritten to do all this work in a single search pipeline, however whether the end result is simpler is arguable at best.

Tackling the search part and the report part separately, the search part, ie the "getting things off disk" part, can be done just by refactoring all our search terms.

earliest=-5m@m latest=@m (serverType="xxx" (
  (sourcetype="Perfmon:CPU Usage" counter="% Processor Time"  ) OR 
  (sourcetype="Perfmon:PhysicalDisk" counter="% Disk*") OR 
  (sourcetype="Perfmon:Processor" counter="Processor Queue Length") OR 
  (sourcetype="Perfmon:PhysicalDisk" counter="Current Disk Queue Length") OR 
  ( sourcetype="Perfmon:Network" counter="Bytes Total/sec") OR 
  ( sourcetype="Perfmon:Web Service"  counter="Current Connections" ) OR
  (sourcetype="Perfmon:Active Server Pages" collection="Active Server Pages") OR 
  (sourcetype="Perfmon:ASP.NET Apps v2" collection="ASP.NET Apps v2" counter="Requests/sec") OR 
  (sourcetype="Perfmon:ASP.NET Apps v4" collection="ASP.NET Apps v4" counter="Requests/sec")
)) OR (
serverType="B2C*" 
(sourcetype="Perfmon:Active Server Pages" counter="Request Wait Time") 
)

BUT! you say, the whole point of the append was to keep all the "Value" fields seperate. Well that problem can be solved a different way. With a lot of eval and a little stats.

| eval ProcV = if(sourcetype="Perfmon:CPU Usage" AND counter="% Processor Time",Value,null())
| eval DiskV =if(sourcetype="Perfmon:PhysicalDisk" AND counter="% Disk*",Value,null())
| eval ProcQueue =if(sourcetype="Perfmon:Processor" AND counter="Processor Queue Length",Value,null())
| eval DiskQueue =if(sourcetype="Perfmon:PhysicalDisk" AND counter="Current Disk Queue Length",Value,null())
| eval ByteT =if(sourcetype="Perfmon:Network" AND counter="Bytes Total/sec",Value,null())
| eval Curcon =if((sourcetype="Perfmon:Web Service" AND counter="Current Connections",Value,null())
| eval RWT =if(sourcetype="Perfmon:Active Server Pages" AND counter="Request Wait Time",Value,null())
| eval ASP =if(sourcetype="Perfmon:Active Server Pages" AND collection="Active Server Pages",Value,null())
| eval ASPv2 =if(sourcetype="Perfmon:ASP.NET Apps v2" AND collection="ASP.NET Apps v2",Value,null())
| eval ASPv4=if(sourcetype="Perfmon:ASP.NET Apps v4" AND collection="ASP.NET Apps v4",Value,null())
| stats avg(DiskV) as DiskV avg(ProcQueue) as ProcQueue avg(DiskQueue) as DiskQueue avg(ByteT) as ByteT avg(Curcon) as Curcon avg(RWT) as RWT
avg(ASP) as ASP avg(ASPv2) as ASPv2 avg(ASPv4) as ASPv4 by host

theouhuios
Motivator

Yup, eval one is something which I tried Nick, but strangely it takes more time to compute the results than append. But I guess I will still use eval to reduce the number of simultaneous searches.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...