First, as an example, I wanted to share that I thought the Question, and responses in this SA post was excellent and I stole the formatting Idea from the OP, and hope it will help: https://answers.splunk.com/answers/48641/summary-index-noob-question.html
first, the summary search:
- search name = "Summary CPU Usage".
- search = "sourcetype="Perfmon:CPU" counter="% Processor Time" instance="_Total" | sitimechart span=5m limit=0 avg(Value) by host".
- start time = "-20m@m" finish time = "-5m@m".
- scheduled to run every 5 minutes.
- alert condition = always.
- alert mode = once per search.
- summary indexing = enabled.
- summary index = "Performance_Summary".
- added fields: "report" = "cpu_usage".
-Report Search: index=Performance_Summary report="cpu_usage" | timechart span=15m count by host"
But this returns so many statitstics that it makes the graph unusable. And also, in doing by host as noted above it just pulls back the name of my search head not each individual node. I understand that this would need to be changed to orig_host, but why is that, and is there a way to change that, as users may not know when they need to do that to Summary Data.
Thanks!
Dustin
↧