All Apps and Add-ons

CPU Utilization using Splunk_TA_nix

jaracan
Communicator

Hi,

We install Splunk_TA_nix and enabled both cpu.sh and cpu_metrics.sh to capture cpu related logs. Do we have SPL query we can use to calculate the CPU Utilization. I do not have indepth Linux background so I am not sure which fields should be use to calculate the percentage of  CPU Utilization. If you can share the formula or fields I need to use from Splunk_TA_nix , I would appreciate it. Our aim is to check the historical  CPU Utilization of our Splunk Heavy Forwarder. Thanks

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jaracan,

the easiest way is to take the "Splunk App for Unix and Linux" (https://splunkbase.splunk.com/app/273/) and extract all the searches you need for your monitoring.

Anyway, if you're ingesting logs using the "Splunk Add-On for Unix and Linux" (https://splunkbase.splunk.com/app/833/) and you have it also on your Search Head, you can use a search like this:

index=os sourcetype=hardware $host$
| dedup host 
| eval MEMORY_REAL=MEMORY_REAL/1024/1024, MEMORY_SWAP=MEMORY_SWAP/1024/1024, host=upper(host)
| table CPU_TYPE CPU_COUNT CPU_CACHE MEMORY_REAL MEMORY_SWAP fd0 hdc sda 
| rename CPU_TYPE AS CPU CPU_COUNT AS "Number of CPUs" CPU_CACHE AS Cache MEMORY_REAL As RAM MEMORY_SWAP AS Swap HARD_DRIVES AS "Hard Disks" fd0 AS "Floppy Disk" hdc AS "Hard Disk" sda AS "Virtual disk"

in other words, see the fields you have from a Linux system and use them in your searches.

Ciao.

Giuseppe

0 Karma

jaracan
Communicator

Hi,

 

I can see that you are using sourcetype=hardware.

Do you have SPL that uses sourcetype=cpu or sourcetype=ps.
I was looking for something like a formula to get the CPU Utilization,. however, I am not quite sure which fields should we use to compute it.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jaracan,

I didn't used the sourcetype=cpu, but I used the sourcetype=ps:

index=os sourcetype=ps $host$ 
| multikv 
| table USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS

but you can create the other following the same approach.

But anyway, in the Splunk App for Linux and Unix you can find all the searches.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...