https://community.splunk.com/t5/Monitoring-Splunk/How-to-import-CPU-load-from-Check-Point-logs/m-p/274512#M2581 <P>Part of the beauty of managing the GAiA OS is that the vast majority is directly derived from RedHat EL (depending on the version of GAiA, predominantly RHEL3 or RHEL5).</P> <P>The output you're looking to ingest is from "mpstat", a standard *Nix application.</P> <P>The <A href="https://splunkbase.splunk.com/app/833/#/details">*NIX TA (available at https://splunkbase.splunk.com/app/833/</A> ) does the necessary work to make sense of this input type without reinventing the wheel. The sourcetype will be "cpu".</P> Fri, 09 Dec 2016 13:46:42 GMT mnatkin_splunk 2016-12-09T13:46:42Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-import-CPU-load-from-Check-Point-logs/m-p/274508#M2577 <P>Hi all,<BR /> we're trying to import archive logs from checkpoint (gaia).<BR /> In one archive it includes many hardware params.<BR /> Each file has a unix timestamp (cpu_load.1480888800) 866 each day<BR /> cut cpu_load.1480888800</P> <PRE><CODE>Average: CPU %user %nice %sys %iowait %irq %soft %steal %idle intr/s Average: all 0.54 0.00 0.47 0.08 0.02 1.13 0.00 97.75 18997.50 Average: 0 4.00 0.00 2.90 3.00 0.10 3.20 0.00 86.80 1060.80 Average: 1 0.10 0.00 0.40 0.00 0.00 0.80 0.00 98.80 0.00 Average: 12 0.30 0.00 0.00 0.00 0.10 0.50 0.00 99.20 637.00 Average: 39 0.10 0.00 0.60 0.00 0.10 1.10 0.00 98.10 1267.90 </CODE></PRE> <P>How import cpu load for each core? </P> Tue, 29 Sep 2020 12:05:32 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-import-CPU-load-from-Check-Point-logs/m-p/274508#M2577 k909 2020-09-29T12:05:32Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-import-CPU-load-from-Check-Point-logs/m-p/274509#M2578 <P>Have you tried importing the file as a CSV with the field delimiter set to space?</P> Thu, 08 Dec 2016 13:12:16 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-import-CPU-load-from-Check-Point-logs/m-p/274509#M2578 richgalloway 2016-12-08T13:12:16Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-import-CPU-load-from-Check-Point-logs/m-p/274510#M2579 <P>Hi,<BR /> Thanks for answer, but space delimeter not help.<BR /> try to change props.conf<BR /> [cpu_61k_csv]<BR /> FIELDS = Average,CPU,user,nice,sys,iowait,irq,soft,steal,idle,intr/s<BR /> DELIMS = " "</P> <P>But space delimeter its different, it depend from value from row</P> Tue, 29 Sep 2020 12:05:55 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-import-CPU-load-from-Check-Point-logs/m-p/274510#M2579 k909 2020-09-29T12:05:55Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-import-CPU-load-from-Check-Point-logs/m-p/274511#M2580 <P>From your edited question it appears the delimiter is tab rather than space. Try using <CODE>\t</CODE> as the <CODE>DELIMS</CODE> value.</P> Fri, 09 Dec 2016 12:48:03 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-import-CPU-load-from-Check-Point-logs/m-p/274511#M2580 richgalloway 2016-12-09T12:48:03Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-import-CPU-load-from-Check-Point-logs/m-p/274512#M2581 <P>Part of the beauty of managing the GAiA OS is that the vast majority is directly derived from RedHat EL (depending on the version of GAiA, predominantly RHEL3 or RHEL5).</P> <P>The output you're looking to ingest is from "mpstat", a standard *Nix application.</P> <P>The <A href="https://splunkbase.splunk.com/app/833/#/details">*NIX TA (available at https://splunkbase.splunk.com/app/833/</A> ) does the necessary work to make sense of this input type without reinventing the wheel. The sourcetype will be "cpu".</P> Fri, 09 Dec 2016 13:46:42 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-import-CPU-load-from-Check-Point-logs/m-p/274512#M2581 mnatkin_splunk 2016-12-09T13:46:42Z