All Apps and Add-ons

SPL for displaying overview panel in splunk app for infrastructure.

nathanluke86
Communicator

I'm hoping someone could help.

I would like to create a dashboard for one of our hosts similar to the Splunk app for infrastructure overview page (as in screenshot below).

We are indexing as metrics (index=em_metrics) and would like to create the panels shown below.

alt text

Thanks

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

I think you are looking for SPLs to use for your dashboard i.e "mstats" command: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Mstats
You can use commands like mstats, mcatalog to look into em_metrics index.

Sample SPL for your dashboard:
| mstats avg(memory.free) WHERE index=em_metrics AND host=xyzz span=1m

You can split the above search by any dimension.
To get the list of dimensions:
| mcatalog values(_dims) WHERE index=em_metrics AND host=xyzz

You can pipe it to timechart to produce a chart: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Timechart

0 Karma

nathanluke86
Communicator

Hi @dagarwal_splunk,

I have been using the mstats command to create metrics dashboards etc but what I cant seem to figure out is how the CPU is calculated. I cant seem to get the same result. I am not sure what metric_name is used to get the required result CPU used %.

Only metrics are:

Process.%_Privileged_Time
Process.%_Processor_Time
Process.%_User_Time
Processor.%_C1_Time
Processor.%_C2_Time
Processor.%_Idle_Time
Processor.%_Interrupt_Time
Processor.%_Privileged_Time
Processor.%_Processor_Time
Processor.%_User_Time

Thanks

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

You should use Processor.%_Processor_Time for Cpu utilization.
See this to learn more about this metric: https://social.technet.microsoft.com/wiki/contents/articles/12984.understanding-processor-processor-...
Processor - % Processor Time is the percentage of elapsed time that the processor spends to execute a non-Idle thread. It is calculated by measuring the percentage of time that the processor spends executing the idle thread and then subtracting that value from 100%. (Each processor has an idle thread that consumes cycles when no other threads are ready to run). This counter is the primary indicator of processor activity, and displays the average percentage of busy time observed during the sample interval.

0 Karma

aberkow
Builder

Hi - are you able to find it by looking at the xml for the dashboard in {SplunkMachineName}{SplunkPath}\etc\apps\app(default|local)\ui\views?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...