https://community.splunk.com/t5/Deployment-Architecture/Linux-Unix-App-total-usage-with-multiple-CPUs/m-p/98355#M3641 <P>Hi, so I have a question regarding CPU usage and virtualization/multiple processors.</P> <P>My environment:<BR /> Red hat 6 Virtual Machine<BR /> 2 CPU<BR /> 8 GB RAM</P> <P>I was testing some basic alerting using the *Nix Addon for Splunk. The app includes a cpu monitor script out of the box using top. A snag I hit was such: If I monitor for a process taking up 90%+ CPU over a time period that doesn't necessarily mean the VM is capped/flatlined on CPU. For a 2 CPU system in this scenario it's possible that only ~70% of total CPU is being used (90% - 100% of one CPU + what the rest of the processes are using on the second processor). This would all be dependent on how an application runs, how many processors are on the box, etc.</P> <P>I'm trying to find a more reliable way to monitor total usage. Has anyone had experiences similar to this? I've been giving:</P> <PRE><CODE>index=os sourcetype=cpu host=SplunkLab03 | multikv fields pctIdle | where pctIdle&lt;10 </CODE></PRE> <P>A shot and it seems to work well but would appreciate a verification before moving forward.</P> <P>The script I use to run up cpu is:</P> <PRE><CODE>while true; do true; done </CODE></PRE> Mon, 22 Oct 2012 20:08:18 GMT sherbuckap 2012-10-22T20:08:18Z https://community.splunk.com/t5/Deployment-Architecture/Linux-Unix-App-total-usage-with-multiple-CPUs/m-p/98355#M3641 <P>Hi, so I have a question regarding CPU usage and virtualization/multiple processors.</P> <P>My environment:<BR /> Red hat 6 Virtual Machine<BR /> 2 CPU<BR /> 8 GB RAM</P> <P>I was testing some basic alerting using the *Nix Addon for Splunk. The app includes a cpu monitor script out of the box using top. A snag I hit was such: If I monitor for a process taking up 90%+ CPU over a time period that doesn't necessarily mean the VM is capped/flatlined on CPU. For a 2 CPU system in this scenario it's possible that only ~70% of total CPU is being used (90% - 100% of one CPU + what the rest of the processes are using on the second processor). This would all be dependent on how an application runs, how many processors are on the box, etc.</P> <P>I'm trying to find a more reliable way to monitor total usage. Has anyone had experiences similar to this? I've been giving:</P> <PRE><CODE>index=os sourcetype=cpu host=SplunkLab03 | multikv fields pctIdle | where pctIdle&lt;10 </CODE></PRE> <P>A shot and it seems to work well but would appreciate a verification before moving forward.</P> <P>The script I use to run up cpu is:</P> <PRE><CODE>while true; do true; done </CODE></PRE> Mon, 22 Oct 2012 20:08:18 GMT https://community.splunk.com/t5/Deployment-Architecture/Linux-Unix-App-total-usage-with-multiple-CPUs/m-p/98355#M3641 sherbuckap 2012-10-22T20:08:18Z https://community.splunk.com/t5/Deployment-Architecture/Linux-Unix-App-total-usage-with-multiple-CPUs/m-p/98356#M3642 <P>On a multicore system, load is roughly additive. So I would simply add values from all CPUs ( <CODE>sum(pctIdle) by _time</CODE>, then divide by number of CPUs ( <CODE>| eventstats dc(CPU)</CODE>). On the other hand, the <CODE>sar</CODE> utility on Linux that sourcetype cpu uses includes the aggregation CPU="all". This saves you from the burden (and complicates the filter if you are to calculate on your own). Hence,</P> <PRE><CODE>index=os sourcetype=cpu host=SplunkLab03 CPU=all | where pctIdle&lt;10 </CODE></PRE> Tue, 20 Oct 2015 20:33:56 GMT https://community.splunk.com/t5/Deployment-Architecture/Linux-Unix-App-total-usage-with-multiple-CPUs/m-p/98356#M3642 yuanliu 2015-10-20T20:33:56Z