Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Linux and Windows CPU monitoring
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is it possible to have a single dash board that gives the cpu usage for both windows and linux machines??
I tried a query some thing like the on below but it dint work.
host="CARDS_QA_*" sourcetype=cpu OR source=WMI:CPUTime eval CPULoad = PercentProcessorTime multikv fields pctIdle | eval Percent_CPU_Load = 100 - pctIdle | timechart avg(Percent_CPU_Load) avg(CPULoad) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, If I understand your objective correctly you would like to display CPU usage as percentage regardless of if the system is Win or *Nix. I am also assuming that you only want pctIdle where pctUser equals all. My first step would be to normallize the data. Since it looks like you have multivalued fields for you *Nix event I would uses mvindex to return single or subset.
I assuem that this base search returns your events for both systems.
host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime)
This section tries to turn pctIdle into a percent and adds it to the field PercentProcessorTime just like the pre-existing field in Win data. I use mvindex to return the first value 0 in the multivalued field called pctIdle. Then I perform the math.
... |eval PercentProcessorTime=(100-mvindex(pctIdle,0))
Then I uses the field command to verify the values by host. I should see values for both *Nix and Win systems now in the PercentProcessorTime. Fields command is a great way to table and verify your data.
...|fields _time host, PercentProcessorTime
If everthing looks good I then peform a timechart command.
Example search:
host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime) |eval PercentProcessorTime=(100-mvindex(pctIdle,0))|fields _time host, PercentProcessorTime| timechart span=5m avg(PercentProcessorTime) as Percent_CPU_Load by host
You may need to play with a bit to get the intended results. Another option would be to sperate your seaches and use join. linux_cpu_seach | fields _time,y,z |join _time[search win_cpu_serch|fields _time,y,z] |timechart ...
I hope this helps or gets you started. Dont forget to accept or thumbs up answer. Cheers
Additional reading:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, If I understand your objective correctly you would like to display CPU usage as percentage regardless of if the system is Win or *Nix. I am also assuming that you only want pctIdle where pctUser equals all. My first step would be to normallize the data. Since it looks like you have multivalued fields for you *Nix event I would uses mvindex to return single or subset.
I assuem that this base search returns your events for both systems.
host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime)
This section tries to turn pctIdle into a percent and adds it to the field PercentProcessorTime just like the pre-existing field in Win data. I use mvindex to return the first value 0 in the multivalued field called pctIdle. Then I perform the math.
... |eval PercentProcessorTime=(100-mvindex(pctIdle,0))
Then I uses the field command to verify the values by host. I should see values for both *Nix and Win systems now in the PercentProcessorTime. Fields command is a great way to table and verify your data.
...|fields _time host, PercentProcessorTime
If everthing looks good I then peform a timechart command.
Example search:
host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime) |eval PercentProcessorTime=(100-mvindex(pctIdle,0))|fields _time host, PercentProcessorTime| timechart span=5m avg(PercentProcessorTime) as Percent_CPU_Load by host
You may need to play with a bit to get the intended results. Another option would be to sperate your seaches and use join. linux_cpu_seach | fields _time,y,z |join _time[search win_cpu_serch|fields _time,y,z] |timechart ...
I hope this helps or gets you started. Dont forget to accept or thumbs up answer. Cheers
Additional reading:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Raw Data for Windows:
1 » 11/12/12
4:46:20.890 PM
20121112164620.890625
PercentProcessorTime=0
PercentUserTime=0
wmi_type=CPUTime
host=HPSM_QA_APP Options| sourcetype=WMI:CPUTime Options| source=WMI:CPUTime Options
I am just looking for a normal line graph that has the cpu for both windows and linux servers. but i need it in only a single dashboard.
Thanks for your time and help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Raw Data for Linux:
1 » 11/12/12
4:46:07.000 PM
CPU pctUser pctNice pctSystem pctIowait pctIdle
PM all 0.25 0.00 0.25 99.50
PM 0 0.00 0.00 0.00 100.00
PM 1 0.00 0.00 0.00 100.00
PM 2 0.00 0.00 0.00 100.00
PM 3 0.00 0.00 0.00 100.00
host=CARDS_QA_WLI1 Options| sourcetype=cpu Options| source=cpu Options
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@karthikbalak..., I have some Ideas. Would you mind posting a sample the _raw data for your both. Also how would you like that data displayed or broken down?
Dashboards: Hiding charts while search is being executed and other uses for tokens
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
