Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search the most recent value for 2 fields and plot them in a pie chart?

sushmitha_mj
Communicator
‎04-15-2015 07:30 AM

I am trying to figure out how to retrieve the most recent value for the free memory and used memory in MB. I want to plot them in a pie chart to get an accurate picture of memory usage, instead of a timechart that gives usage over a period of time. How should I get recent value of the fields?

Search:

index=os sourcetype=vmstat host=$host$ | timechart median(memFreeMB) as Mem_Free, median(memUsedMB) as Mem_Used by host
Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

Gilberto_Castil
Splunk Employee
Splunk Employee
‎04-15-2015 08:23 AM

If you want the latest value only, you need to use a stats command using the first function. It is important to understand that Splunk organizes the data in a reverse-time notation. Assume for example that you have a data set like this:

Wed Apr 15 10:10:01 EDT 2015 myserver memFreeMB=0 memUsedMB=4096
Wed Apr 15 10:20:02 EDT 2015 myserver memFreeMB=1024 memUsedMB=3072
Wed Apr 15 10:30:01 EDT 2015 myserver memFreeMB=2048 memUsedMB=2048
Wed Apr 15 10:40:01 EDT 2015 myserver memFreeMB=3072 memUsedMB=1024

Once you index the data, you end up with a reverse-time ordering where the latest event is shown first. Add the following using the stats command and you get a table.

| stats first(memFreeMB) AS memFreeMB first(memUsedMB) AS memUsedMB

Once you've done that, you need to flip the table so that you have a col, val format. That's the expected format for a pie chart. The easiest way is to use the transpose command.

| transpose

All together you get something like this:

alt text

I hope this helps you.

--
gc

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

Gilberto_Castil
Splunk Employee
Splunk Employee
‎04-15-2015 08:23 AM

If you want the latest value only, you need to use a stats command using the first function. It is important to understand that Splunk organizes the data in a reverse-time notation. Assume for example that you have a data set like this:

Wed Apr 15 10:10:01 EDT 2015 myserver memFreeMB=0 memUsedMB=4096
Wed Apr 15 10:20:02 EDT 2015 myserver memFreeMB=1024 memUsedMB=3072
Wed Apr 15 10:30:01 EDT 2015 myserver memFreeMB=2048 memUsedMB=2048
Wed Apr 15 10:40:01 EDT 2015 myserver memFreeMB=3072 memUsedMB=1024

Once you index the data, you end up with a reverse-time ordering where the latest event is shown first. Add the following using the stats command and you get a table.

| stats first(memFreeMB) AS memFreeMB first(memUsedMB) AS memUsedMB

Once you've done that, you need to flip the table so that you have a col, val format. That's the expected format for a pie chart. The easiest way is to use the transpose command.

| transpose

All together you get something like this:

alt text

I hope this helps you.

--
gc

Preview file
1 KB
Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎04-15-2015 08:46 AM

@Giberto Castillo
Thank you so much for the explanation of the solution as well... It worked perfectly fine...

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-15-2015 07:57 AM

Hi sushmitha_mj ,

to get recent value of a field you can use first() with stats cammand :

for exemple:

index=os sourcetype=vmstat host=$host$ |stats first(memFreeMB) as Mem_Free, first(memUsedMB) as Mem_Used by host

Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎04-15-2015 08:47 AM

@stephane_cyrille
It worked thanks...

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...