- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Linux and Windows CPU monitoring
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
is it possible to have a single dash board that gives the cpu usage for both windows and linux machines??
I tried a query some thing like the on below but it dint work.
host="CARDS_QA_*" sourcetype=cpu OR source=WMI:CPUTime eval CPULoad = PercentProcessorTime multikv fields pctIdle | eval Percent_CPU_Load = 100 - pctIdle | timechart avg(Percent_CPU_Load) avg(CPULoad) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Ok, If I understand your objective correctly you would like to display CPU usage as percentage regardless of if the system is Win or *Nix. I am also assuming that you only want pctIdle where pctUser equals all. My first step would be to normallize the data. Since it looks like you have multivalued fields for you *Nix event I would uses mvindex to return single or subset.
I assuem that this base search returns your events for both systems.
host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime)
This section tries to turn pctIdle into a percent and adds it to the field PercentProcessorTime just like the pre-existing field in Win data. I use mvindex to return the first value 0 in the multivalued field called pctIdle. Then I perform the math.
... |eval PercentProcessorTime=(100-mvindex(pctIdle,0))
Then I uses the field command to verify the values by host. I should see values for both *Nix and Win systems now in the PercentProcessorTime. Fields command is a great way to table and verify your data.
...|fields _time host, PercentProcessorTime
If everthing looks good I then peform a timechart command.
Example search:
host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime) |eval PercentProcessorTime=(100-mvindex(pctIdle,0))|fields _time host, PercentProcessorTime| timechart span=5m avg(PercentProcessorTime) as Percent_CPU_Load by host
You may need to play with a bit to get the intended results. Another option would be to sperate your seaches and use join. linux_cpu_seach | fields _time,y,z |join _time[search win_cpu_serch|fields _time,y,z] |timechart ...
I hope this helps or gets you started. Dont forget to accept or thumbs up answer. Cheers
Additional reading:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Ok, If I understand your objective correctly you would like to display CPU usage as percentage regardless of if the system is Win or *Nix. I am also assuming that you only want pctIdle where pctUser equals all. My first step would be to normallize the data. Since it looks like you have multivalued fields for you *Nix event I would uses mvindex to return single or subset.
I assuem that this base search returns your events for both systems.
host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime)
This section tries to turn pctIdle into a percent and adds it to the field PercentProcessorTime just like the pre-existing field in Win data. I use mvindex to return the first value 0 in the multivalued field called pctIdle. Then I perform the math.
... |eval PercentProcessorTime=(100-mvindex(pctIdle,0))
Then I uses the field command to verify the values by host. I should see values for both *Nix and Win systems now in the PercentProcessorTime. Fields command is a great way to table and verify your data.
...|fields _time host, PercentProcessorTime
If everthing looks good I then peform a timechart command.
Example search:
host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime) |eval PercentProcessorTime=(100-mvindex(pctIdle,0))|fields _time host, PercentProcessorTime| timechart span=5m avg(PercentProcessorTime) as Percent_CPU_Load by host
You may need to play with a bit to get the intended results. Another option would be to sperate your seaches and use join. linux_cpu_seach | fields _time,y,z |join _time[search win_cpu_serch|fields _time,y,z] |timechart ...
I hope this helps or gets you started. Dont forget to accept or thumbs up answer. Cheers
Additional reading:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Raw Data for Windows:
1 » 11/12/12
4:46:20.890 PM
20121112164620.890625
PercentProcessorTime=0
PercentUserTime=0
wmi_type=CPUTime
host=HPSM_QA_APP Options| sourcetype=WMI:CPUTime Options| source=WMI:CPUTime Options
I am just looking for a normal line graph that has the cpu for both windows and linux servers. but i need it in only a single dashboard.
Thanks for your time and help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Raw Data for Linux:
1 » 11/12/12
4:46:07.000 PM
CPU pctUser pctNice pctSystem pctIowait pctIdle
PM all 0.25 0.00 0.25 99.50
PM 0 0.00 0.00 0.00 100.00
PM 1 0.00 0.00 0.00 100.00
PM 2 0.00 0.00 0.00 100.00
PM 3 0.00 0.00 0.00 100.00
host=CARDS_QA_WLI1 Options| sourcetype=cpu Options| source=cpu Options
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
@karthikbalak..., I have some Ideas. Would you mind posting a sample the _raw data for your both. Also how would you like that data displayed or broken down?
Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.
Find out what your skills are worth!
Read the report >
