All Apps and Add-ons

splunk for unix

Explorer

I have installed universal forwarder installed and it sends data to splunk indexer.When I check CPU by Host, I see chart called "Load Factor by Host".Can you explain me the meaning of that chart"Load Factor by Host" and also can you recommend me link where I can find more details.

0 Karma

Splunk Employee
Splunk Employee

The Load is the system load, 1 mintes average. It's parsed from the uptime in Linux.

$ uptime

00:11:39 up 42 days, 7:40, 3 users, load average: 2.29, 2.96, 3.43

In this case, the value should be 2.29.

As you might know, the system load is based on number of precess ready to run in CPU and number of processes with I/O wait status in kernel. Because this number include all the CPU cores. If you have 8 core CPUs, this value is generally higher than 4 core CPUs.

The search query for the chart is;

index=os sourcetype=vmstat host=$host$ 
   | multikv fields loadAvg1mi 
   | timechart avg(loadAvg1mi) by host

where $host$ is your choice in the Host pull-down. loadAvg1mi is the same as system load 1minutes average.

Unfortunately I could not find any document explaining about this. I checked the xml file and macro.conf, and the shell script to understand it.