All Apps and Add-ons

Splunk App for Unix and Linux: How to edit vmstat.sh script to collect current free memory stats?

mcomfurf
Path Finder

From what I can tell, the vmstat.sh script in the Nix app runs the vmstat 1 1 command to collect memory information. However, this brings back averages since the machine was last rebooted rather than current information. Has anyone tweaked the scripts to run something like vmstat 2 2 and ignore the first line of data returned, in order to get current stats?

0 Karma

morgan03
New Member

I change the script

My method is
vmstat 1 1 => vmstat 3 3

It let the second from 1 sec to 3 sec and three times.

Because the data line changed from 5 to 7, "PARSE_0" have to correct the right line , NR==5 => NR ==7. It will get the right line.

    if [ $SOLARIS_8 -o $SOLARIS_9 ] ; then
            CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat    3 3   ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2; '
    else
            CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat -q 3 3 ; vmstat -s ; prstat -n 1 1 1; `dirname $0`/hardware.sh; sar -gp 1 2'
    fi
    PARSE_0='/^Memory size:/ {memTotalMB=$3} (NR==7) {memFreeMB=$5 / 1024}'
0 Karma

cb_usps
Explorer

In the current *Nix Add-On v 5.2.2, in vmstat.sh, this is how I've edited the command for Solaris:

CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat -q 1 2|tail -1 ; vmstat -s ; prstat -n 1 1 1; echo CPU_COUNT `psrinfo | grep -c "on-line"`; sar -gp 1 2'

Basically, anywhere in the TA that uses 'vmstat' or any other command which returns the average stats since boot for the first iteration, run 2 iterations of the stats and pipe to tail -1. The Linux command does not use 'vmstat' to get the memory statistics which is why my example is for Solaris.

I say basically, because it depends on how the output is parsed with the 'awk' script. Most of the time, the 2 iterations and pipe to tail -1 is correct, but some of the awk parsers are built to grab the data differently.

One final bit of advice. If you do edit any of the scripts, you probably want to copy the entire TA to a newly named TA and push your custom TA and stop pushing the original *Nix TA. Do this for the same reason you edit files in the local directory, and not the default directory.

0 Karma

morgan03
New Member

I used vmstat get two different memory free

46># vmstat 1 1
kthr memory page disk faults cpu
r b w swap free re mf pi po fr de sr m0 m1 m6 m7 in sy cs us sy id
0 0 70 25107016 2683376 16 41 203 241 246 0 437 2 24 0 2 1459 2193 1735 1 0 99

47># vmstat 3 3
kthr memory page disk faults cpu
r b w swap free re mf pi po fr de sr m0 m1 m6 m7 in sy cs us sy id
0 0 70 25107008 2683376 16 41 203 241 246 0 437 2 24 0 2 1459 2193 1735 1 0 99
0 0 104 20028496 510088 4 26 0 0 0 0 0 0 0 0 2 1382 1102 1682 0 0 99
0 0 104 20028240 509824 0 52 0 0 0 0 0 0 0 0 0 1858 1428 2396 1 0 99

2683376 and 510088 the gap too large

0 Karma

Random_Walk
Path Finder

This thread is a little old now, but if anyone is interested, I wrote a daemon that runs vmstat 60 and parses the output into a metric csv form file, adding a record every 60 seconds. This is then monitored from inputs.conf.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...