We install Splunk_TA_nix and enabled both cpu.sh and cpu_metrics.sh to capture cpu related logs. Do we have SPL query we can use to calculate the CPU Utilization. I do not have indepth Linux background so I am not sure which fields should be use to calculate the percentage of CPU Utilization. If you can share the formula or fields I need to use from Splunk_TA_nix , I would appreciate it. Our aim is to check the historical CPU Utilization of our Splunk Heavy Forwarder. Thanks
the easiest way is to take the "Splunk App for Unix and Linux" (https://splunkbase.splunk.com/app/273/) and extract all the searches you need for your monitoring.
Anyway, if you're ingesting logs using the "Splunk Add-On for Unix and Linux" (https://splunkbase.splunk.com/app/833/) and you have it also on your Search Head, you can use a search like this:
index=os sourcetype=hardware $host$ | dedup host | eval MEMORY_REAL=MEMORY_REAL/1024/1024, MEMORY_SWAP=MEMORY_SWAP/1024/1024, host=upper(host) | table CPU_TYPE CPU_COUNT CPU_CACHE MEMORY_REAL MEMORY_SWAP fd0 hdc sda | rename CPU_TYPE AS CPU CPU_COUNT AS "Number of CPUs" CPU_CACHE AS Cache MEMORY_REAL As RAM MEMORY_SWAP AS Swap HARD_DRIVES AS "Hard Disks" fd0 AS "Floppy Disk" hdc AS "Hard Disk" sda AS "Virtual disk"
in other words, see the fields you have from a Linux system and use them in your searches.
I can see that you are using sourcetype=hardware.
Do you have SPL that uses sourcetype=cpu or sourcetype=ps.
I was looking for something like a formula to get the CPU Utilization,. however, I am not quite sure which fields should we use to compute it.
I didn't used the sourcetype=cpu, but I used the sourcetype=ps:
index=os sourcetype=ps $host$ | multikv | table USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS
but you can create the other following the same approach.
But anyway, in the Splunk App for Linux and Unix you can find all the searches.