I tried to touch the PID file, but every time that nmon starts (again, every minute), it deletes the PID file and does not replace it.

I have 2 servers: cleteNAS (TA-nmon) and blackwellServer (local collection). I think the issue is on the server named blackwellServer.

Each server is very small (they are both mini-ITX AMD APUs with 3x2TB drives in RAID-5 and run apache/Splunk/some other stuff).

I have your latest version of nmon as of today.

In the logs I see that it is removing stale pid files every minute.

INFO: starting nmon : /usr/bin/nmon -f -T -d 1500 -s 60 -c 120 in /opt/splunk/var/run/nmon/var/nmon_repository
INFO: Removing staled pid file

I also see the processes stacking up:
root 17880 0.0 0.0 15432 1100 ? S 21:55 0:00 /usr/bin/nmon -f -T -d 1500 -s 60 -c 120
root 18396 0.0 0.0 15436 1100 ? S 21:56 0:00 /usr/bin/nmon -f -T -d 1500 -s 60 -c 120
root 18822 0.1 0.0 15280 964 ? S 21:57 0:00 /usr/bin/nmon -f -T -d 1500 -s 60 -c 120

The files in the nmon_repository directory that align to these still-running instances have constantly updating timestamps, which is probably causing Splunk to pull them in multiple times.

Indeed, I have modified your nmon_processing search. In the past 10 minutes, here are how many records were processed by host:
host count percent
blackwellServer 49 84.482759
cleteNAS 9 15.517241

I am not sure why the nmon processes are stacking up and the PID file is not being created.

Thanks for your detailed answer. I'm afraid I can't search right now due to license violations. I think I'm going to have to start over with my instance or wait 30 days. When I get it working next I'll run those searches and report back.

Hello !

I'm the author of the Nmon Splunk app, thank you for using it 🙂

There is must something bad, even 75% of 500 mb per day is very high moreover fro only 2 servers, unless you have very very big servers like Solaris domain zones or big AIX partitions... what i guess you don't... that should something less than 20-30 mb a day

What is the version of the App you are using ?
Can you verify that is there only one nmon process running at a time on the TA ? (multiple processes would result in dupplicating data)

The following sourcetype will contain important information too:

index=nmon sourcetype=nmon_collect

--> nmon_helper.sh execution output

index=nmon sourcetype=nmon_processing

--> nmon raw data conversion

Also, you can issue some event count to understand what's going on, some search like:

index=nmon earliest=-7d latest=now | timechart span=1d count by sourcetype

--> will count the number of events per sourcetype, 99% of data should be in nmon_data

index=nmon sourcetype=nmon_data earliest=-7d latest=now | timechart span=1d useother=f limit=0 count by type

--> will count the number of events per perf monitor

A simple perf monitor like CPU_ALL (cpu % usage, 1 event per update) should around 1 event per minute, so around 1400 events per day (there may be some gaps)

index=nmon_performance sourcetype=nmon_data type=CPU_ALL host=myhost | timechart count span=1d by sourcetype

I think your TA is generating too much data, for some reasons, probably dupplicating nmon instances ?