Dashboards & Visualizations

Linux and Windows CPU monitoring

karthikbalakris
Explorer

is it possible to have a single dash board that gives the cpu usage for both windows and linux machines??
I tried a query some thing like the on below but it dint work.

host="CARDS_QA_*" sourcetype=cpu OR source=WMI:CPUTime eval CPULoad = PercentProcessorTime multikv fields pctIdle | eval Percent_CPU_Load = 100 - pctIdle | timechart avg(Percent_CPU_Load) avg(CPULoad) by host

0 Karma
1 Solution

bmacias84
Champion

Ok, If I understand your objective correctly you would like to display CPU usage as percentage regardless of if the system is Win or *Nix. I am also assuming that you only want pctIdle where pctUser equals all. My first step would be to normallize the data. Since it looks like you have multivalued fields for you *Nix event I would uses mvindex to return single or subset.

I assuem that this base search returns your events for both systems.


host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime)

This section tries to turn pctIdle into a percent and adds it to the field PercentProcessorTime just like the pre-existing field in Win data. I use mvindex to return the first value 0 in the multivalued field called pctIdle. Then I perform the math.

... |eval PercentProcessorTime=(100-mvindex(pctIdle,0))

Then I uses the field command to verify the values by host. I should see values for both *Nix and Win systems now in the PercentProcessorTime. Fields command is a great way to table and verify your data.

...|fields _time host, PercentProcessorTime

If everthing looks good I then peform a timechart command.

Example search:


host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime) |eval PercentProcessorTime=(100-mvindex(pctIdle,0))|fields _time host, PercentProcessorTime| timechart span=5m avg(PercentProcessorTime) as Percent_CPU_Load by host

You may need to play with a bit to get the intended results. Another option would be to sperate your seaches and use join. linux_cpu_seach | fields _time,y,z |join _time[search win_cpu_serch|fields _time,y,z] |timechart ...

I hope this helps or gets you started. Dont forget to accept or thumbs up answer. Cheers

Additional reading:

Parsemultivaluefields

CommonEvalFunctions

View solution in original post

0 Karma

bmacias84
Champion

Ok, If I understand your objective correctly you would like to display CPU usage as percentage regardless of if the system is Win or *Nix. I am also assuming that you only want pctIdle where pctUser equals all. My first step would be to normallize the data. Since it looks like you have multivalued fields for you *Nix event I would uses mvindex to return single or subset.

I assuem that this base search returns your events for both systems.


host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime)

This section tries to turn pctIdle into a percent and adds it to the field PercentProcessorTime just like the pre-existing field in Win data. I use mvindex to return the first value 0 in the multivalued field called pctIdle. Then I perform the math.

... |eval PercentProcessorTime=(100-mvindex(pctIdle,0))

Then I uses the field command to verify the values by host. I should see values for both *Nix and Win systems now in the PercentProcessorTime. Fields command is a great way to table and verify your data.

...|fields _time host, PercentProcessorTime

If everthing looks good I then peform a timechart command.

Example search:


host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime) |eval PercentProcessorTime=(100-mvindex(pctIdle,0))|fields _time host, PercentProcessorTime| timechart span=5m avg(PercentProcessorTime) as Percent_CPU_Load by host

You may need to play with a bit to get the intended results. Another option would be to sperate your seaches and use join. linux_cpu_seach | fields _time,y,z |join _time[search win_cpu_serch|fields _time,y,z] |timechart ...

I hope this helps or gets you started. Dont forget to accept or thumbs up answer. Cheers

Additional reading:

Parsemultivaluefields

CommonEvalFunctions

0 Karma

karthikbalakris
Explorer

Raw Data for Windows:

1 » 11/12/12
4:46:20.890 PM

20121112164620.890625
PercentProcessorTime=0
PercentUserTime=0
wmi_type=CPUTime
host=HPSM_QA_APP Options| sourcetype=WMI:CPUTime Options| source=WMI:CPUTime Options

I am just looking for a normal line graph that has the cpu for both windows and linux servers. but i need it in only a single dashboard.

Thanks for your time and help.

0 Karma

karthikbalakris
Explorer

Raw Data for Linux:
1 » 11/12/12
4:46:07.000 PM

CPU pctUser pctNice pctSystem pctIowait pctIdle
PM all 0.25 0.00 0.25 99.50
PM 0 0.00 0.00 0.00 100.00
PM 1 0.00 0.00 0.00 100.00
PM 2 0.00 0.00 0.00 100.00
PM 3 0.00 0.00 0.00 100.00
host=CARDS_QA_WLI1 Options| sourcetype=cpu Options| source=cpu Options

0 Karma

bmacias84
Champion

@karthikbalak..., I have some Ideas. Would you mind posting a sample the _raw data for your both. Also how would you like that data displayed or broken down?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...