https://community.splunk.com/t5/Monitoring-Splunk/Is-nix-sourcetype-ps-pctCPU-really-suitable-for-charting-OOTB/m-p/40198#M444 <P>Hi all, I am reasoning about the *nix app sourcetype=ps' pctCPU metric and how to plot it correctly.</P> <P>I see Splunk's <EM>nix app generally plots it by doing *</EM>... | timechart avg(pctCPU) by ...**. This would be perfectly fine if pctCPU expressed the instantaneous usage of cpu (as top does). Instead, per "man ps" definition (RHEL 5.5): </P> <PRE><CODE> %cpu %CPU cpu utilization of the process in "##.#" format. Currently, it is the CPU time used divided by the time the process has been running (cputime/realtime ratio), expressed as a percentage. It will not add up to 100% unless you are lucky. (alias pcpu). </CODE></PRE> <P><EM>pctCPU</EM> expresses the average cpu used by the process since its startup (cpu time / total run time)!</P> <P>Say the process has long been running with low usage, then it has a burst for some minutes, then usage drops again. Ps' pctCPU would not reflect this behaviour as the total cpu time over which it has been computed did not increment that much with respect to total runtime. pctCPU is smoothed in this case.</P> <P>Does my reasoning make any sense to you? </P> <P>I have a quite complex solution under work which involves computing deltas of CPUTIME and ELAPSED (splunk's ps.sh definitions) for any multikv'ed ps execution, then compute "instantaneous" pctCPU, then average and plot it. <BR /> However, this is a fairly slow (requires to use <EM>| sort +host +PID +COMMAND +_time</EM> with all its limits) and complex solution. </P> <P>Has anybody came up with something better?</P> Fri, 08 Jul 2011 15:11:27 GMT Paolo_Prigione 2011-07-08T15:11:27Z https://community.splunk.com/t5/Monitoring-Splunk/Is-nix-sourcetype-ps-pctCPU-really-suitable-for-charting-OOTB/m-p/40198#M444 <P>Hi all, I am reasoning about the *nix app sourcetype=ps' pctCPU metric and how to plot it correctly.</P> <P>I see Splunk's <EM>nix app generally plots it by doing *</EM>... | timechart avg(pctCPU) by ...**. This would be perfectly fine if pctCPU expressed the instantaneous usage of cpu (as top does). Instead, per "man ps" definition (RHEL 5.5): </P> <PRE><CODE> %cpu %CPU cpu utilization of the process in "##.#" format. Currently, it is the CPU time used divided by the time the process has been running (cputime/realtime ratio), expressed as a percentage. It will not add up to 100% unless you are lucky. (alias pcpu). </CODE></PRE> <P><EM>pctCPU</EM> expresses the average cpu used by the process since its startup (cpu time / total run time)!</P> <P>Say the process has long been running with low usage, then it has a burst for some minutes, then usage drops again. Ps' pctCPU would not reflect this behaviour as the total cpu time over which it has been computed did not increment that much with respect to total runtime. pctCPU is smoothed in this case.</P> <P>Does my reasoning make any sense to you? </P> <P>I have a quite complex solution under work which involves computing deltas of CPUTIME and ELAPSED (splunk's ps.sh definitions) for any multikv'ed ps execution, then compute "instantaneous" pctCPU, then average and plot it. <BR /> However, this is a fairly slow (requires to use <EM>| sort +host +PID +COMMAND +_time</EM> with all its limits) and complex solution. </P> <P>Has anybody came up with something better?</P> Fri, 08 Jul 2011 15:11:27 GMT https://community.splunk.com/t5/Monitoring-Splunk/Is-nix-sourcetype-ps-pctCPU-really-suitable-for-charting-OOTB/m-p/40198#M444 Paolo_Prigione 2011-07-08T15:11:27Z https://community.splunk.com/t5/Monitoring-Splunk/Is-nix-sourcetype-ps-pctCPU-really-suitable-for-charting-OOTB/m-p/40199#M445 <P>A simplistic answer would be to use <CODE>sourcetype=top</CODE> instead. I have the same problem, but my use case requires stats by fields only available in <CODE>sourcetype=ps</CODE>. Therefore the simplistic answer wouldn't suffice. The unfortunate use of the same field name <CODE>pctCPU</CODE> in these two sources to mean very different things has prompted my new question <A href="https://answers.splunk.com/answers/318807/how-to-cherry-pick-values-from-different-sources.html">https://answers.splunk.com/answers/318807/how-to-cherry-pick-values-from-different-sources.html</A>.</P> Wed, 21 Oct 2015 06:01:25 GMT https://community.splunk.com/t5/Monitoring-Splunk/Is-nix-sourcetype-ps-pctCPU-really-suitable-for-charting-OOTB/m-p/40199#M445 yuanliu 2015-10-21T06:01:25Z https://community.splunk.com/t5/Monitoring-Splunk/Is-nix-sourcetype-ps-pctCPU-really-suitable-for-charting-OOTB/m-p/40200#M446 <P>A more sophisticated solution to this problem is posted in the above question.</P> Wed, 21 Oct 2015 18:32:03 GMT https://community.splunk.com/t5/Monitoring-Splunk/Is-nix-sourcetype-ps-pctCPU-really-suitable-for-charting-OOTB/m-p/40200#M446 yuanliu 2015-10-21T18:32:03Z