There is a problem with multi processor machines, ...

las · ‎03-13-2015

Hi.

On windows machines with 2 or more cpu slots, the hostmon will return an event pr. slot. as seen by the following screenshot:

The problem is the way the search handles this, as it just makes a dedup by host:

{% searchmanager
id="computer-and-processor"
search='eventtype=hostmon_windows Type=OperatingSystem host="$Host$" | dedup host | eval OSArchitecture=Architecture | join host [search eventtype=hostmon_windows Type=Computer host="$Host$" | dedup host | eval ComputerManufacturer=Manufacturer] | join host [search eventtype=hostmon_windows Type=Processor host="$Host$" | dedup host]'|token_safe
autostart=False
%}

This will result in a grand total of 8 cores, not the 32, that actually is on the host.

kind regards

las

fdi01 · ‎03-13-2015

try this search :
eventtype=hostmon_windows Type=OperatingSystem host="$Host$" | eval OSArchitecture=Architecture | eval ComputerManufacturer=Manufacturer |eval number_of_cores=NumberofCore |eval Number_of_processors=NumberofProcessors
.....

or you use appendcols command because join command is no approprie to this context.

las · ‎03-13-2015

I agree with your notion, that it doesn't work, personally I considered using an eventstats, and still join the three types together.
What is more important is, that the query I pasted in the original question is used in the html, that is shipped with the app, so hopefully the guys working on Splunk app for windows infrastructure will see the post, so it might be corrected in the future, and until then its a head up, that Host Information might be incorrect in some cases.

There is a problem with multi processor machines, and the number of cores and Number of processors in the host information page.

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!