- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Range map multiple fields in search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to prevent my search head from reaching the maximum number of concurrent searches by combine my searches used in my singles on a dashboard and rangemap the values. The problem is the range map for fcpu is applied to fmem for my single.
index="server" sourcetype="perfmon" | rename host as chost |regex chost="(?i)(ASERVER[\w\d+]+)" |stats first(totaperproctime) as cpuby chost | sort -cpu, chost | head 1 | fields cpu, chost | append [search index="sb_web" sourcetype="perfmon" | rename host as mhost |regex mhost="(?i)(ASERVER[\w\d+]+)" |stats first(permemcommitted) as mem by mhost | sort -mem, mhost| head 1 |fields mem, mhost] | stats first(mem) as fmem, first(mhost) as fmhost, first(cpu) as fcpu, first(chost) as fchost | rangemap field=fcpu low=0-35 elevated=36-70 severe=71-100 | rangemap field=fmem low=0-14 elevated=15-70 severe=71-100 | rangemap field=fcpu low=0-35 elevated=36-70 severe=71-100
Results:
fmem | fmhost | fcpu | fchost| range
15.98 | ASEVER11 | 10.25| ASERVER09| low
xml for singles:
<row grouping="1,1,6">
<chart>
somechart
</chart>
<chart>
somechart
</chart>
<html>
<h3>Core Server Hightest Memory</h3>
</html>
<single>
<searchName>Core Max CPU and MEM by host</searchName>
<option name="classField">range</option>
<option name="field">fmhost</option>
</single>
<single>
<searchName>Core Max CPU and MEM by host</searchName>
<option name="afterLabel">%</option>
<option name="classField">range</option>
<option name="field">fmem</option>
</single>
<html>
<br />
<h3>Core Server Hightest CPU</h3>
</html>
<single>
<searchName>Core Max CPU and MEM by host</searchName>
<option name="classField">range</option>
<option name="field">fchost</option>
</single>
<single>
<searchName>Core Max CPU and MEM by host</searchName>
<option name="afterLabel">%</option>
<option name="classField">range</option>
<option name="field">fcpu</option>
</single>
</row>
I've also tried using:
<option name="charting.chart.rangeValues">[0,100,300,500]</option> with no success.
Any help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to fix your search (and XML):
index="server" sourcetype="perfmon"
| rename host as chost |regex chost="(?i)(ASERVER[wd+]+)"
|stats first(totaperproctime) as cpuby chost
| sort -cpu, chost | head 1 | fields cpu, chost
| append [search index="sb_web" sourcetype="perfmon"
| rename host as mhost |regex mhost="(?i)(ASERVER[wd+]+)"
|stats first(permemcommitted) as mem by mhost
| sort -mem, mhost| head 1 |fields mem, mhost]
| stats first(mem) as fmem, first(mhost) as fmhost, first(cpu) as fcpu, first(chost) as fchost
| rangemap field=fcpu low=0-35 elevated=36-70 severe=71-100
| rename range as fcpu_range
| rangemap field=fmem low=0-14 elevated=15-70 severe=71-100
| rename range as fmem_range
In the XML, simply change the line
<option name="classField">range</option>
to either
<option name="classField">fcpu_range</option>
or
<option name="classField">fmem_range</option>
depending on the panel...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to fix your search (and XML):
index="server" sourcetype="perfmon"
| rename host as chost |regex chost="(?i)(ASERVER[wd+]+)"
|stats first(totaperproctime) as cpuby chost
| sort -cpu, chost | head 1 | fields cpu, chost
| append [search index="sb_web" sourcetype="perfmon"
| rename host as mhost |regex mhost="(?i)(ASERVER[wd+]+)"
|stats first(permemcommitted) as mem by mhost
| sort -mem, mhost| head 1 |fields mem, mhost]
| stats first(mem) as fmem, first(mhost) as fmhost, first(cpu) as fcpu, first(chost) as fchost
| rangemap field=fcpu low=0-35 elevated=36-70 severe=71-100
| rename range as fcpu_range
| rangemap field=fmem low=0-14 elevated=15-70 severe=71-100
| rename range as fmem_range
In the XML, simply change the line
<option name="classField">range</option>
to either
<option name="classField">fcpu_range</option>
or
<option name="classField">fmem_range</option>
depending on the panel...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you considered using postprocessing? I think this will be closer to what you want.
With this technique, you run a single search, and then manipulate the results in multiple ways, displaying each variant in its own dashboard panel. Here is the description in the manual:
http://docs.splunk.com/Documentation/Splunk/latest/Developer/PostProcess
You may also find it helpful to download the free app: Splunk UI Examples for 4.1+ which has at least one example of postprocessing.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
