topic Re: Search string to method to determine heavy hitter servers by operating system in Splunk Search

Search string to method to determine heavy hitter servers by operating system

OMohi — Thu, 01 Aug 2013 15:50:00 GMT

Hi:

Is there a procedure or a search string to determine heavy hitter hostname based on operating system. We work on five different operating systems and would like to determine the usage based per os level.

Thanks,
Obaid

Re: Search string to method to determine heavy hitter servers by operating system

martin_mueller — Fri, 02 Aug 2013 11:41:34 GMT

You could tag your hostnames with the OS, and split your query by that tag. Alternatively, you can do the same with a lookup.

Re: Search string to method to determine heavy hitter servers by operating system

sowings — Fri, 02 Aug 2013 13:23:08 GMT

Assuming you mean license usage?

Re: Search string to method to determine heavy hitter servers by operating system

OMohi — Fri, 02 Aug 2013 14:08:45 GMT

Yes you r right. I am assuming licensing usage by operating system, split down by hostnames which has the os installed.

Re: Search string to method to determine heavy hitter servers by operating system

sowings — Mon, 05 Aug 2013 14:12:52 GMT

Try the metrics.log. During each metrics dump (every 30 seconds), the "top X biggest Y" are written out. Where X is defaulted to ten (10), and Y is sourcetype, host, index, etc. The search string would read like:

index=_internal source=*metrics.log group=tcpin_connections | stats sum(kb) AS kb by os

You could also use the results from the os field in the tcpin_connections, to evaluate the OS while getting the accurate license usage from license_usage.log.

Re: Search string to method to determine heavy hitter servers by operating system

OMohi — Tue, 13 Aug 2013 08:46:58 GMT

could you break down the search to specify heavy hitters by host build using a particular o/s (eg windows)