I would like to create a ratio of full GCs to GCs from my GC log. I can count up either event easy enough but I can't figure out how to count total GCs and then just full GCs such that I can display the percentage as a single value on a dashboard.
Hints?
Not sure if I got what you're after, but this may help you
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Addtotals
have a play with the options of this command, and it will calculate totals.
For the percentage you need to use the eval command
you can indeed set up new fields on the fly with the rex command if it's a field extraction (you create a new field) and you can also create new fields with the eval command if they are not extractions but transformations
This would be a more straightforward way of getting my percentage. But PSYoungGen and Full GC are just searches, not fields being picked up by Splunk. Can I define them as a field on the fly?
And Full GC is a subset of PSYoungGen, so a minor tweak to your logic above.
yes, could you do a field extraction for those values?that way they could be under the same FIELD. then try this:
sourcetype=gc.log FIELD="PSYoungGen" OR FIELD="Full GC" | stats count(FIELD=="PSYoungGen") AS "GCs", count(FIELD="FullGC") AS "Full_GCs", count AS "Total" ...... and then calculate your percentange
I was assuming that in some events you got this value "PSYoungGen" and in some other you got "Full GC" , if it does not work like that maybe you can still see where I was going with my explanation. Please do not hesitate to ask if you don't understand
Ok, this search worked for me. But I wonder if there is anything more efficient (shorter search sting)
sourcetype=gc.log "PSYoungGen"|stats count as "GCs"|append [ search sourcetype=gc.log "Full GC"|stats count as "Full_GCs"]|stats sum(GCs) as GCs,sum(Full_GCs) as Full_GCs|eval Percent_Full_GCs=(100*Full_GCs/GCs)|eval Percent_Full_GCs=round(Percent_Full_GCs,0)|table Percent_Full_GCs
sourcetype=gc.log "PSYoungGen"|eval series="GCs"|append [ search sourcetype=gc.log "Full GC"|eval series="Full GCs"]|stats count by series
can you type your search here?
Sort of. I have a table with a count for Full GCs and all GCs. Not sure how to get (Full GCs)/(GCs) as the final output.