I have the following values:
OS= ex. windows, linux
CPUCount= ex. 4,8,16
MemoryCount= ex. 8,16,32
PhysicalVirtual= ex. Physical, Virtual
I would like to chart the sum of the following:
Virtual_Linux=sum(CPUCount)
Virtual_Windows=sum(CPUCount)
Same for Physical, then by Memory both Physical and Virtual etc..
Thanks for any help on getting me started on this.
Matt
How about this:
your base search
| eval Physical_Linux_CPU=if(PhyicalVirtual="Physical" AND OS="linux", CPUCount, 0)
| eval Physical_Windows_CPU=if(PhyicalVirtual="Physical" AND OS="windows", CPUCount, 0)
| eval Virtual_Linux_CPU=if(PhyicalVirtual="Virtual" AND OS="linux", CPUCount, 0)
| eval Virtual_Windows_CPU=if(PhyicalVirtual="Virtual" AND OS="windows", CPUCount, 0)
| eval Physical_Linux_Memory=if(PhyicalVirtual="Physical" AND OS="linux", MemoryCount, 0)
| eval Physical_Windows_Memory=if(PhyicalVirtual="Physical" AND OS="windows", MemoryCount, 0)
| eval Virtual_Linux_Memory=if(PhyicalVirtual="Virtual" AND OS="linux", MemoryCount, 0)
| eval Virtual_Windows_Memory=if(PhyicalVirtual="Virtual" AND OS="windows", MemoryCount, 0)
| stats sum(*_CPU) AS *_CPU sum(*_Memory) AS *_Memory
There's probably a cleaner way to do that using foreach
, but I'm not confident about the syntax and don't have access to my Splunk instance at the moment. 🙂 But this should definitely work.
How about this:
your base search
| eval Physical_Linux_CPU=if(PhyicalVirtual="Physical" AND OS="linux", CPUCount, 0)
| eval Physical_Windows_CPU=if(PhyicalVirtual="Physical" AND OS="windows", CPUCount, 0)
| eval Virtual_Linux_CPU=if(PhyicalVirtual="Virtual" AND OS="linux", CPUCount, 0)
| eval Virtual_Windows_CPU=if(PhyicalVirtual="Virtual" AND OS="windows", CPUCount, 0)
| eval Physical_Linux_Memory=if(PhyicalVirtual="Physical" AND OS="linux", MemoryCount, 0)
| eval Physical_Windows_Memory=if(PhyicalVirtual="Physical" AND OS="windows", MemoryCount, 0)
| eval Virtual_Linux_Memory=if(PhyicalVirtual="Virtual" AND OS="linux", MemoryCount, 0)
| eval Virtual_Windows_Memory=if(PhyicalVirtual="Virtual" AND OS="windows", MemoryCount, 0)
| stats sum(*_CPU) AS *_CPU sum(*_Memory) AS *_Memory
There's probably a cleaner way to do that using foreach
, but I'm not confident about the syntax and don't have access to my Splunk instance at the moment. 🙂 But this should definitely work.
This seems to work perfectly! I had to make sense of how it handles all items that don't match as 0's but once I figured that out it turned out great!
Thanks very Much!
Matt
Hello,
I didn't understand very well, try using append command:
index=<your_index_here> | fields OS, CPUCount, PhysicalVirtual | chart sum(CPUCount) by OS, PhysicalVirtual |
append[ index=<your_index_here> | fields OS, MemoryCount, PhysicalVirtual | chart sum(MemoryCount) by OS, PhysicalVirtual ]
Best regards
For two separate charts..
Charting CPU count for both Physical and Virtual and OS:
index=<your_index_here> | fields OS, CPUCount, PhysicalVirtual | chart sum(CPUCount) by OS, PhysicalVirtual
Charting Memory for both Physical and Virtual and OS:
index=<your_index_here> | fields OS, MemoryCount, PhysicalVirtual | chart sum(MemoryCount) by OS, PhysicalVirtual
are you looking for one chart with all of your options? Or separate charts?