I was asked to look into building a report on how much an item moves vs. a baseline. I was trying to compare CPU Utilization by process over a month, and comparing that to utilization on a given day. After that, I wanted to compare the difference in ranking. How could this be done?
I could see where something like this could be modified to be made useful for others, so I thought I would share the search:
index="os" sourcetype="ps" host="*" earliest=-30d@d
| multikv fields pctCPU, COMMAND
| chart avg(pctCPU) as pctCPUMonthly by COMMAND
| sort limit=10 - COMMAND
| streamstats count as MonthRank
| append [search index="os" sourcetype="ps" host="*" earliest=-1d@d | multikv fields pctCPU, COMMAND | chart avg(pctCPU) as pctCPUDaily by COMMAND | sort limit=10 - COMMAND | streamstats count as DayRank]
| stats first(MonthRank) as MonthRank first(DayRank) as DayRank by COMMAND
| eval difference=MonthRank-DayRank
| fields + COMMAND, MonthRank, DayRank, difference
I hope this is useful to someone.
I could see where something like this could be modified to be made useful for others, so I thought I would share the search:
index="os" sourcetype="ps" host="*" earliest=-30d@d
| multikv fields pctCPU, COMMAND
| chart avg(pctCPU) as pctCPUMonthly by COMMAND
| sort limit=10 - COMMAND
| streamstats count as MonthRank
| append [search index="os" sourcetype="ps" host="*" earliest=-1d@d | multikv fields pctCPU, COMMAND | chart avg(pctCPU) as pctCPUDaily by COMMAND | sort limit=10 - COMMAND | streamstats count as DayRank]
| stats first(MonthRank) as MonthRank first(DayRank) as DayRank by COMMAND
| eval difference=MonthRank-DayRank
| fields + COMMAND, MonthRank, DayRank, difference
I hope this is useful to someone.
I think there's an error here:
"| sort limit=10 - COMMAND"
You're sorting by the NAMES (i.e. "COMMAND") of the commands from Z to A, and then using that order as the MonthRank? I think you want
"| sort limit=10 - pctCPUMonthly"
Might be useful to talk out how the search does its magic?