topic Re: Linux and Windows CPU monitoring in Dashboards & Visualizations

Linux and Windows CPU monitoring

karthikbalakris — Mon, 28 Sep 2020 12:47:18 GMT

is it possible to have a single dash board that gives the cpu usage for both windows and linux machines??
I tried a query some thing like the on below but it dint work.

host="CARDS_QA_*" sourcetype=cpu OR source=WMI:CPUTime eval CPULoad = PercentProcessorTime multikv fields pctIdle | eval Percent_CPU_Load = 100 - pctIdle | timechart avg(Percent_CPU_Load) avg(CPULoad) by host

Re: Linux and Windows CPU monitoring

bmacias84 — Mon, 12 Nov 2012 21:43:13 GMT

@karthikbalak..., I have some Ideas. Would you mind posting a sample the _raw data for your both. Also how would you like that data displayed or broken down?

Re: Linux and Windows CPU monitoring

karthikbalakris — Mon, 28 Sep 2020 12:47:24 GMT

Raw Data for Linux:
1 » 11/12/12
4:46:07.000 PM

CPU pctUser pctNice pctSystem pctIowait pctIdle
PM all 0.25 0.00 0.25 99.50
PM 0 0.00 0.00 0.00 100.00
PM 1 0.00 0.00 0.00 100.00
PM 2 0.00 0.00 0.00 100.00
PM 3 0.00 0.00 0.00 100.00
host=CARDS_QA_WLI1 Options| sourcetype=cpu Options| source=cpu Options

Re: Linux and Windows CPU monitoring

karthikbalakris — Mon, 28 Sep 2020 12:47:26 GMT

Raw Data for Windows:

1 » 11/12/12
4:46:20.890 PM

20121112164620.890625
PercentProcessorTime=0
PercentUserTime=0
wmi_type=CPUTime
host=HPSM_QA_APP Options| sourcetype=WMI:CPUTime Options| source=WMI:CPUTime Options

I am just looking for a normal line graph that has the cpu for both windows and linux servers. but i need it in only a single dashboard.

Thanks for your time and help.

Re: Linux and Windows CPU monitoring

bmacias84 — Tue, 13 Nov 2012 01:18:45 GMT

Ok, If I understand your objective correctly you would like to display CPU usage as percentage regardless of if the system is Win or *Nix. I am also assuming that you only want pctIdle where pctUser equals all. My first step would be to normallize the data. Since it looks like you have multivalued fields for you *Nix event I would uses mvindex to return single or subset.

I assuem that this base search returns your events for both systems.



host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime)

This section tries to turn pctIdle into a percent and adds it to the field PercentProcessorTime just like the pre-existing field in Win data. I use mvindex to return the first value 0 in the multivalued field called pctIdle. Then I perform the math.



... |eval PercentProcessorTime=(100-mvindex(pctIdle,0))

Then I uses the field command to verify the values by host. I should see values for both *Nix and Win systems now in the PercentProcessorTime. Fields command is a great way to table and verify your data.



...|fields _time host, PercentProcessorTime

If everthing looks good I then peform a timechart command.

Example search:



host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime) |eval PercentProcessorTime=(100-mvindex(pctIdle,0))|fields _time host, PercentProcessorTime| timechart span=5m avg(PercentProcessorTime) as Percent_CPU_Load by host

You may need to play with a bit to get the intended results. Another option would be to sperate your seaches and use join. linux_cpu_seach | fields _time,y,z |join _time[search win_cpu_serch|fields _time,y,z] |timechart ...

I hope this helps or gets you started. Dont forget to accept or thumbs up answer. Cheers

Additional reading:

Parsemultivaluefields

CommonEvalFunctions