- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to display load average values in a chart?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
i have written script which extracts the load average values and provides the output.by using below output, how can we create charts to display load average?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since there is no time given in the sample so I will guess it. Let's say if load averages are being calculated at discrete intervals, i.e. the 15 min average does not have data included from the 5 minute average, and 5 minute average doesn't have 1 minute average in it, then if each "output" line is a single event the intuitive graph that becomes is:
index=yourIndex sourcetype=yourSourcetype loadaverage
| rex "value=\"(?<loadAvg>[^\"]+)\""
| timechart max(loadAvg) as LoadAvg
From the visualization options choose Format >> General >> Null Values as Connect to ensure the average stays continuous in case of missing values . That shall form the basic timechart at least to start off. Alternatively you can use min function in timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since there is no time given in the sample so I will guess it. Let's say if load averages are being calculated at discrete intervals, i.e. the 15 min average does not have data included from the 5 minute average, and 5 minute average doesn't have 1 minute average in it, then if each "output" line is a single event the intuitive graph that becomes is:
index=yourIndex sourcetype=yourSourcetype loadaverage
| rex "value=\"(?<loadAvg>[^\"]+)\""
| timechart max(loadAvg) as LoadAvg
From the visualization options choose Format >> General >> Null Values as Connect to ensure the average stays continuous in case of missing values . That shall form the basic timechart at least to start off. Alternatively you can use min function in timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for your response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can we show values in single line like below
0.00,0.20,10.00
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you might want to explore the transpose option, something like:
index=yourIndex sourcetype=yourSourcetype loadaverage
| rex "value=\"(?<loadAvg>[^\"]+)\""
| table loadAvg
| transpose
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YOu may be missing the output that you wanted to show.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somehow i am not able to copy entire output,i copied single line
but here is the last column from the out put
name="loadaverage|last1min" value="0.00"
name="loadaverage|last5min" value="0.34"/>
name="loadaverage|last15min" value="5.00"/>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry here is the output
system time="Thu Jan 19 20:24:50 2017" HostName ="gpd-653-fc88" Days ="76" Users ="2" name="loadaverage|last1min" value="0.00"/>
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
