All Apps and Add-ons

Paging Charting in *nix App

jodros
Builder

Has anyone added a custom chart to the *nix app or a custom app that shows linux os paging statistics? I know the data is there from the Splunk_TA_nix add-on, but some additional calculations might need to be performed to show current paging amounts, like streamstats.

Just curious. I have tried to find something in the *nix app, but couldn't find the stats I want. I am trying to mirror as best as possible the information that is provided by spotlight.

Thanks

1 Solution

jodros
Builder

I now have paging and swapping charts integrated into the *nix app. It seemed like the best fit on the Memory by Host view. I modified the view to include two more charts on row 3, moving the Physical Memory by Host chart to row 4. The dropdown selector also works with the paging charts. By default it will show all hosts paging stats, and if you select a single host, it will reflect that one host. The XML for my charts is below:

<module name="HiddenSearch" layoutPanel="panel_row3_col1" group="Average Paging Out in KB/s by Host" autoRun="False">
        <param name="search">index="os" source="vmstat" host=$host$ | multikv fields pgPageOut | streamstats current=f global=f window=1 first(pgPageOut) as next_pPO by host | eval podiff = next_pPO-pgPageOut | eval podiffps = podiff/60 | timechart avg(podiffps) by host</param>
        <param name="groupLabel">Average Paging Out in KB/s by Host</param>
        <module name="HiddenFieldPicker">
          <param name="strictMode">True</param>
          <module name="JobProgressIndicator">
            <module name="EnablePreview">
              <param name="enable">True</param>
              <param name="display">False</param>
              <module name="HiddenChartFormatter">
                <param name="charting.secondaryAxisTitle.text">Avg Page Out KB/s</param>
                <param name="charting.chart">line</param>
                <param name="charting.chart.nullValueMode">connect</param>
                <module name="JSChart">
                  <param name="width">100%</param>
                  <module name="ConvertToDrilldownSearch">
                    <module name="ViewRedirector">
                      <param name="viewTarget">flashtimeline</param>
                    </module>
                  </module>
                </module>
                <module name="ViewRedirectorLink">
                  <param name="viewTarget">flashtimeline</param>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module>
      <module name="HiddenSearch" layoutPanel="panel_row3_col2" group="Average Swapping Out in KB/s by Host" autoRun="False">
        <param name="search">index="os" source="vmstat" host=$host$ | multikv fields pgSwapOut | streamstats current=f global=f window=1 first(pgSwapOut) as next_pSO by host | eval sodiff = next_pSO-pgSwapOut | eval sodiffps = sodiff/60 | timechart avg(sodiffps) by host</param>
        <param name="groupLabel">Average Swapping Out in KB/s by Host</param>
        <module name="HiddenFieldPicker">
          <param name="strictMode">True</param>
          <module name="JobProgressIndicator">
            <module name="EnablePreview">
              <param name="enable">True</param>
              <param name="display">False</param>
              <module name="HiddenChartFormatter">
                <param name="charting.secondaryAxisTitle.text">Avg Swap Out KB/s</param>
                <param name="charting.chart">line</param>
                <param name="charting.chart.nullValueMode">connect</param>
                <module name="JSChart">
                  <param name="width">100%</param>
                  <module name="ConvertToDrilldownSearch">
                    <module name="ViewRedirector">
                      <param name="viewTarget">flashtimeline</param>
                    </module>
                  </module>
                </module>
                <module name="ViewRedirectorLink">
                  <param name="viewTarget">flashtimeline</param>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module>

View solution in original post

jodros
Builder

Attaching some pics of how it looks.

alt text

alt text

0 Karma

jodros
Builder

After tweaking this, I plan to move to the network charts. They seem a bit off to me.

0 Karma

sreedharmallemp
Explorer

hi @jodros ,

Am also looking for Paging and Swapping in details. Are you able to achieve this through any tweakings to the script. If so can you please help me with the vmstat.sh script that you have tweked.

Thanks,

0 Karma

jodros
Builder

Thanks. Now I just need to tweak the vmstat.sh script to also include paging and swapping in. As it is right now, it only shows paging/swapping out. Like to have both.

Let me know if you have any suggestions on how I can improve it more!

0 Karma

araitz
Splunk Employee
Splunk Employee

Impressive that you were able to go from zero to sixty in 4 hours!

0 Karma

jodros
Builder

I now have paging and swapping charts integrated into the *nix app. It seemed like the best fit on the Memory by Host view. I modified the view to include two more charts on row 3, moving the Physical Memory by Host chart to row 4. The dropdown selector also works with the paging charts. By default it will show all hosts paging stats, and if you select a single host, it will reflect that one host. The XML for my charts is below:

<module name="HiddenSearch" layoutPanel="panel_row3_col1" group="Average Paging Out in KB/s by Host" autoRun="False">
        <param name="search">index="os" source="vmstat" host=$host$ | multikv fields pgPageOut | streamstats current=f global=f window=1 first(pgPageOut) as next_pPO by host | eval podiff = next_pPO-pgPageOut | eval podiffps = podiff/60 | timechart avg(podiffps) by host</param>
        <param name="groupLabel">Average Paging Out in KB/s by Host</param>
        <module name="HiddenFieldPicker">
          <param name="strictMode">True</param>
          <module name="JobProgressIndicator">
            <module name="EnablePreview">
              <param name="enable">True</param>
              <param name="display">False</param>
              <module name="HiddenChartFormatter">
                <param name="charting.secondaryAxisTitle.text">Avg Page Out KB/s</param>
                <param name="charting.chart">line</param>
                <param name="charting.chart.nullValueMode">connect</param>
                <module name="JSChart">
                  <param name="width">100%</param>
                  <module name="ConvertToDrilldownSearch">
                    <module name="ViewRedirector">
                      <param name="viewTarget">flashtimeline</param>
                    </module>
                  </module>
                </module>
                <module name="ViewRedirectorLink">
                  <param name="viewTarget">flashtimeline</param>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module>
      <module name="HiddenSearch" layoutPanel="panel_row3_col2" group="Average Swapping Out in KB/s by Host" autoRun="False">
        <param name="search">index="os" source="vmstat" host=$host$ | multikv fields pgSwapOut | streamstats current=f global=f window=1 first(pgSwapOut) as next_pSO by host | eval sodiff = next_pSO-pgSwapOut | eval sodiffps = sodiff/60 | timechart avg(sodiffps) by host</param>
        <param name="groupLabel">Average Swapping Out in KB/s by Host</param>
        <module name="HiddenFieldPicker">
          <param name="strictMode">True</param>
          <module name="JobProgressIndicator">
            <module name="EnablePreview">
              <param name="enable">True</param>
              <param name="display">False</param>
              <module name="HiddenChartFormatter">
                <param name="charting.secondaryAxisTitle.text">Avg Swap Out KB/s</param>
                <param name="charting.chart">line</param>
                <param name="charting.chart.nullValueMode">connect</param>
                <module name="JSChart">
                  <param name="width">100%</param>
                  <module name="ConvertToDrilldownSearch">
                    <module name="ViewRedirector">
                      <param name="viewTarget">flashtimeline</param>
                    </module>
                  </module>
                </module>
                <module name="ViewRedirectorLink">
                  <param name="viewTarget">flashtimeline</param>
                </module>
              </module>
            </module>
          </module>
        </module>
      </module>

jodros
Builder

@araitz, you think you could help me tweak the vmstat.sh script? 🙂

0 Karma

jodros
Builder

Can anyone assist me in tweaking the vmstat.sh script to output pgPageIn and pgSwapIn? I looked over the script, but it is a bit over my head.

Thanks

0 Karma

jodros
Builder

So I made some searches that chart the pages per second for the pgPageOut and pgSwapOut fields generated by the vmstat.sh script for the Splunk_TA_unix add on. This charts out the average pages per second for these fields. This seems like a chart that would have been included or canned with the *nix app.

Average Page Out in pages per second

index="os" source="vmstat" | multikv fields pgPageOut | streamstats current=f global=f window=1 first(pgPageOut) as next_pPO by host  | eval podiff = next_pPO-pgPageOut | eval podiffps = podiff/60 | timechart avg(podiffps) by host

Average Swap Out in pages per second

index="os" source="vmstat" | multikv fields pgSwapOut | streamstats current=f global=f window=1 first(pgSwapOut) as next_pSO by host | eval sodiff = next_pSO-pgSwapOut | eval sodiffps = sodiff/60 | timechart avg(sodiffps) by host
0 Karma

jodros
Builder

I plan on adding this to one of the *nix memory charts. Anyone else trying to get this kind of data visualized in charts?

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...