Splunk Search

Create a ratio of GCs

motobeats
Path Finder

I would like to create a ratio of full GCs to GCs from my GC log. I can count up either event easy enough but I can't figure out how to count total GCs and then just full GCs such that I can display the percentage as a single value on a dashboard.

Hints?

0 Karma

asimagu
Builder

Not sure if I got what you're after, but this may help you

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Addtotals

have a play with the options of this command, and it will calculate totals.

For the percentage you need to use the eval command

0 Karma

asimagu
Builder

you can indeed set up new fields on the fly with the rex command if it's a field extraction (you create a new field) and you can also create new fields with the eval command if they are not extractions but transformations

0 Karma

motobeats
Path Finder

This would be a more straightforward way of getting my percentage. But PSYoungGen and Full GC are just searches, not fields being picked up by Splunk. Can I define them as a field on the fly?
And Full GC is a subset of PSYoungGen, so a minor tweak to your logic above.

0 Karma

asimagu
Builder

yes, could you do a field extraction for those values?that way they could be under the same FIELD. then try this:

sourcetype=gc.log FIELD="PSYoungGen" OR FIELD="Full GC" | stats count(FIELD=="PSYoungGen") AS "GCs", count(FIELD="FullGC") AS "Full_GCs", count AS "Total" ...... and then calculate your percentange

I was assuming that in some events you got this value "PSYoungGen" and in some other you got "Full GC" , if it does not work like that maybe you can still see where I was going with my explanation. Please do not hesitate to ask if you don't understand

0 Karma

motobeats
Path Finder

Ok, this search worked for me. But I wonder if there is anything more efficient (shorter search sting)
sourcetype=gc.log "PSYoungGen"|stats count as "GCs"|append [ search sourcetype=gc.log "Full GC"|stats count as "Full_GCs"]|stats sum(GCs) as GCs,sum(Full_GCs) as Full_GCs|eval Percent_Full_GCs=(100*Full_GCs/GCs)|eval Percent_Full_GCs=round(Percent_Full_GCs,0)|table Percent_Full_GCs

0 Karma

motobeats
Path Finder

sourcetype=gc.log "PSYoungGen"|eval series="GCs"|append [ search sourcetype=gc.log "Full GC"|eval series="Full GCs"]|stats count by series

0 Karma

asimagu
Builder

can you type your search here?

0 Karma

motobeats
Path Finder

Sort of. I have a table with a count for Full GCs and all GCs. Not sure how to get (Full GCs)/(GCs) as the final output.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...