All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CPU Utilization using Splunk_TA_nix

jaracan
Communicator
‎01-20-2022 11:42 PM

Hi,

We install Splunk_TA_nix and enabled both cpu.sh and cpu_metrics.sh to capture cpu related logs. Do we have SPL query we can use to calculate the CPU Utilization. I do not have indepth Linux background so I am not sure which fields should be use to calculate the percentage of  CPU Utilization. If you can share the formula or fields I need to use from Splunk_TA_nix , I would appreciate it. Our aim is to check the historical  CPU Utilization of our Splunk Heavy Forwarder. Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2022 11:49 PM

Hi @jaracan,

the easiest way is to take the "Splunk App for Unix and Linux" (https://splunkbase.splunk.com/app/273/) and extract all the searches you need for your monitoring.

Anyway, if you're ingesting logs using the "Splunk Add-On for Unix and Linux" (https://splunkbase.splunk.com/app/833/) and you have it also on your Search Head, you can use a search like this:

index=os sourcetype=hardware $host$
| dedup host 
| eval MEMORY_REAL=MEMORY_REAL/1024/1024, MEMORY_SWAP=MEMORY_SWAP/1024/1024, host=upper(host)
| table CPU_TYPE CPU_COUNT CPU_CACHE MEMORY_REAL MEMORY_SWAP fd0 hdc sda 
| rename CPU_TYPE AS CPU CPU_COUNT AS "Number of CPUs" CPU_CACHE AS Cache MEMORY_REAL As RAM MEMORY_SWAP AS Swap HARD_DRIVES AS "Hard Disks" fd0 AS "Floppy Disk" hdc AS "Hard Disk" sda AS "Virtual disk"

in other words, see the fields you have from a Linux system and use them in your searches.

Ciao.

Giuseppe

0 Karma
Reply

jaracan
Communicator
‎01-21-2022 12:04 AM

Hi,

 

I can see that you are using sourcetype=hardware.

Do you have SPL that uses sourcetype=cpu or sourcetype=ps.
I was looking for something like a formula to get the CPU Utilization,. however, I am not quite sure which fields should we use to compute it.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2022 01:47 AM

Hi @jaracan,

I didn't used the sourcetype=cpu, but I used the sourcetype=ps:

index=os sourcetype=ps $host$ 
| multikv 
| table USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS

but you can create the other following the same approach.

But anyway, in the Splunk App for Linux and Unix you can find all the searches.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...