Find Range of CPU Usage by Host

Find numeric range between the smallest and largest numbers in specified field using the range() function with groupBy()

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} result{{Result Set}} repo --> 0 0 --> result
logscale
groupBy([host], function=range(cpu_usage))

Introduction

A numeric range is the difference between the highest and lowest values in a specified numeric field across a set of events. The range() function can be used to calculate this difference and it works with both integer and floating-point fields.

In this example, the range() function is used to find the CPU usage by host by finding the range of the values in the field cpu_usage.

Example incoming event data might look like this:

timestamphostcpu_usage
2025-04-30T07:00:00Zhost1.com50
2025-04-30T07:01:00Zhost1.com75
2025-04-30T07:02:00Zhost1.com95
2025-04-30T07:03:00Zhost1.com65
2025-04-30T07:00:00Zhost2.com50
2025-04-30T07:01:00Zhost2.com70
2025-04-30T07:02:00Zhost2.com55
2025-04-30T07:03:00Zhost2.com65
2025-04-30T07:00:00Zhost3.com25
2025-04-30T07:01:00Zhost3.com100
2025-04-30T07:02:00Zhost3.com45
2025-04-30T07:03:00Zhost3.com80

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    groupBy([host], function=range(cpu_usage))

    Groups events by host name in the field host ([host]), then calculates the range (the difference) between highest CPU usage value and lowest CPU usage value for each host, returning the results in a new field named _range.

    The range() function always returns a single number (the difference between maximum and minimum).

  3. Event Result set.

Summary and Results

The query is used to find the CPU usage by host. The smaller the range (0-20), the more stable is the system.

Sample output from the incoming example data:

host_range
host1.com45
host2.com20
host3.com75