Re: splunk for unix

bwenge · ‎05-18-2011

I have installed universal forwarder installed and it sends data to splunk indexer.When I check CPU by Host, I see chart called "Load Factor by Host".Can you explain me the meaning of that chart"Load Factor by Host" and also can you recommend me link where I can find more details.

Masa · ‎05-19-2011

The Load is the system load, 1 mintes average. It's parsed from the uptime in Linux.

$ uptime

00:11:39 up 42 days, 7:40, 3 users, load average: 2.29, 2.96, 3.43

In this case, the value should be 2.29.

As you might know, the system load is based on number of precess ready to run in CPU and number of processes with I/O wait status in kernel. Because this number include all the CPU cores. If you have 8 core CPUs, this value is generally higher than 4 core CPUs.

The search query for the chart is;

index=os sourcetype=vmstat host=$host$ 
   | multikv fields loadAvg1mi 
   | timechart avg(loadAvg1mi) by host

where $host$ is your choice in the Host pull-down. loadAvg1mi is the same as system load 1minutes average.

Unfortunately I could not find any document explaining about this. I checked the xml file and macro.conf, and the shell script to understand it.

splunk for unix

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!