I'm using the *NIX add-on for Splunk. We receive "TOP.sh" information into Splunk. Top provides the process information and pctCPU. I'm trying to run a statistics table search to do the following:
Pull the TOP data for a specific host.
Return the COMMAND (Process Name) and pctCPU.
Sum the pctCPU for all similar process names.
Create a new column with the total pctCPU for every process.
Divide the pctCPU total for each process by the total pctCPU of the box and put that in a separate field (cpuShare).
Return the process names and cpuShare.
I have a piechart that returns the data and creates the slices. But the statistical format of that doesn't have the percentages. Is there a hidden field I can display or do I need to do the division myself? This is going in a dashboard. I have obscured the real host name with $host_name$
Example of pie chart:
index=os host=$host_name$ source="top" COMMAND=*
| table _time, host, USER, COMMAND, PID, pctCPU
| chart sum(pctCPU) over COMMAND
Example of statistical table to evaluate the CPU share:
index=os host=$host_name$ source="top" COMMAND=*
| table COMMAND, pctCPU
| stats sum(pctCPU) by COMMAND
| sort - sum(pctCPU)
| eval bretCPU =
[ search index=os host=$host_name$ source="top" COMMAND=*
| table pctCPU
| stats sum(pctCPU) as totalPctCPU
| return totalPctCPU]
↧