How to do it...

Follow these steps to chart the application memory usage over the past day:

1. Log in to your Splunk server.
2. Select the Search & Reporting application.
3. Ensure that the time range picker is set to Last 24 hours and type the following search into the Splunk search bar. Then, click on Search or hit Enter:

index=main sourcetype=log4j perfType="MEMORY" | eval mem_used_pc=round((mem_used/mem_total)*100) | eval mem_remain_pc=(100-mem_used_pc) | timechart span=15m avg(mem_remain_pc) avg(mem_used_pc)

1. Splunk will return a tabulated list, detailing all the events that meet our search criteria,  as shown in the following screenshot:
   
2. This is great, but hard to visualize in tabular form. Click on the Visualization tab, and you will see this data represented in a column (by default) chart.

1. Click on the column link above the chart and select Area. Then, click on the Format link and change the Stack Mode to stacked and click on Apply. Splunk now presents this data in an area chart, allowing us easily to see if there are times during the day when our application might be getting low on memory. In this case, our sample data looks to be using very little memory, as shown in the following screenshot:
   
2. Save this search by clicking on Save As and then on Report. Give the report a name of cp02_application_memory and click on Save. On the next screen, click on Continue Editing to return to the search.