In Splunk App for Unix and Linux cpu cores are shown in "hosts".
The core count is not correct.
As I can see, the count is made from this macro search:
apps/splunk_app_for_nix/install/SA-nix/default/macros.conf
[unix_nodes_detail_specs_cpu_by_host(1)]
args = host
definition = os_index
cpu_sourcetype
host=$host$ NOT cpu="all" | append [stats count | eval _raw="no results"] | head 100 | eval name="CPU:" | stats first(name) as name max(CPU) as cpus | eval cpus=if(isnum(cpus), tostring(cpus + 1) + " cores", "unknown - is cpu.sh enabled?")
I cannot find any information on this as a known problem anywhere. Can you help me out a bit here?
Adding export LC_ALL="en_US.UTF-8
to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/common.sh solved the issue.
Output of cpu.sh is now like this:
CPU pctUser pctNice pctSystem pctIowait pctIdle
all 4.04 0.00 1.01 0.00 94.95
0 4.04 0.00 1.01 0.00 94.950
..and the App seems to be working as expected.
Adding export LC_ALL="en_US.UTF-8
to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/common.sh solved the issue.
Output of cpu.sh is now like this:
CPU pctUser pctNice pctSystem pctIowait pctIdle
all 4.04 0.00 1.01 0.00 94.95
0 4.04 0.00 1.01 0.00 94.950
..and the App seems to be working as expected.
Thanks, I'll file a bug for this.
Hi gunzola,
how is the count not correct? Is it showing no result at all or a wrong count like 4 instead of 8 CPU's? What is the result if you run the cpu.sh directly on this host like this (maybe the path needs some tweaking, take it out of my head):
$SPLUNK_HOME/bin/splunk cmd /$SPLUNK_HOME/etc/apps/SA-unix/bin/cpu.sh
does this show the correct count?
Some *inx systems need to install sysinfo
utilities to get cpu.sh
running.
hope this helps to get you going ...
cheers, MuS
Splunk App for Unix 5.0.1
Splunk Add-on for *nix 5.0.2
I also did a downgrade to the Add-on version 5.0.1 (which is the version supplied along with the App). Same results.
We have a customer with the same issue - actually on CentOS-installation. I think I will ask Splunk Support for some assistance here.. and post any updates here of course.
We're running into the same problem here. Splunk Add-on for *nix 5.2.3 and Splunk Universal Forwarder 6.5.2. I have 12 forwarder clients all running Ubuntu 14.04 and a third of them an incorrect value in the CPU field.
I checked the output of cpu.sh on two systems and they both output the CPU core number in the first column. However once this output is ingested into Splunk, only one of them has a valid number (or "all") in the CPU field. The other one has something like "48.0" in the CPU field, which appears to be a load average.
This makes us unable to compare CPU usage across hosts.
The cpu.sh output's first column should be this:
CPU ...
all ...
0 ...
Instead, yours appears to be showing one of the pctNice or pctSystem columns... interesting. Run one of these two, the one present on your system is the input for cpu.sh:
sar -P ALL 1 1
mpstat -P ALL 1 1
What version of the app are you using?
Currently it states in Splunk For Unix-appn that my instance has "71.00 cores"
just as this search also returns 71.00 cores:
index=os source=cpu host=palle-virtual-machine NOT cpu="all" | append [stats count | eval _raw="no results"] | head 100 | eval name="CPU:" | stats first(name) as name max(CPU) as cpus | eval cpus=if(isnum(cpus), tostring(cpus + 1) + " cores", "unknown - is cpu.sh enabled?")
Output of cpu.sh
~/splunk/bin$ ./splunk cmd ../etc/apps/Splunk_TA_nix/bin/cpu.sh
CPU pctUser pctNice pctSystem pctIowait pctIdle
1.01 0.00 1.01 1.01 0.00 96.97
1.01 0.00 1.01 1.01 0.00 96.97
cat /proc/cpuinfo | fgrep -c processor
1
As a most basic check, you could run this:
cat /proc/cpuinfo | fgrep -c processor