All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

There is a problem with multi processor machines, and the number of cores and Number of processors in the host information page.

las
Contributor
‎03-13-2015 02:57 AM

Hi.

On windows machines with 2 or more cpu slots, the hostmon will return an event pr. slot. as seen by the following screenshot:alt text

The problem is the way the search handles this, as it just makes a dedup by host:

{% searchmanager
id="computer-and-processor"
search='eventtype=hostmon_windows Type=OperatingSystem host="$Host$" | dedup host | eval OSArchitecture=Architecture | join host [search eventtype=hostmon_windows Type=Computer host="$Host$" | dedup host | eval ComputerManufacturer=Manufacturer] | join host [search eventtype=hostmon_windows Type=Processor host="$Host$" | dedup host]'|token_safe
autostart=False
%}

This will result in a grand total of 8 cores, not the 32, that actually is on the host.

kind regards

las

Preview file
56 KB
0 Karma
Reply

fdi01
Motivator
‎03-13-2015 06:48 AM

try this search :
eventtype=hostmon_windows Type=OperatingSystem host="$Host$" | eval OSArchitecture=Architecture | eval ComputerManufacturer=Manufacturer |eval number_of_cores=NumberofCore |eval Number_of_processors=NumberofProcessors
.....

or you use appendcols command because join command is no approprie to this context.

0 Karma
Reply

las
Contributor
‎03-13-2015 12:17 PM

I agree with your notion, that it doesn't work, personally I considered using an eventstats, and still join the three types together.
What is more important is, that the query I pasted in the original question is used in the html, that is shipped with the app, so hopefully the guys working on Splunk app for windows infrastructure will see the post, so it might be corrected in the future, and until then its a head up, that Host Information might be incorrect in some cases.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...