Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk query to fetch Heavy forwarder's Hardware specifications

swamysanjanaput
Explorer
‎12-24-2019 12:51 AM

Hi Splunkers,

I am still a beginner, trying to write a query to fetch splunk heavy forwarder's cpu, memory usage and other hardware related stuff. With the below query i am not able to fetch the correct values for Heavy forwarders(see below results). So, could anyone please help me to resolve this issue.

Query: internal host=spi source="/opt/splunk/var/log/splunk/metrics.log" fwdType=full | dedup hostname | table hostname | join type=left [search index = * sourcetype=nix:hardware host=* | rex mode=sed "s/\s\s+/=/g" | extract kvdelim="=" pairdelim="\n" ] |table hostname,CPU_TYPE,CPU_COUNT,MEMORY_REAL

Results: Same values being replicated for all Hfs which is incorrect

Host CPU_TYPE CPU_COUNT MEMORY_REAL
HF 1 Intel(R) Xeon(R) @ 2.70GHz 12 24504164 kB

HF 2 Intel(R) Xeon(R) @2.70GHz 12 24504164 kB

HF 3 Intel(R) Xeon(R) @2.70GHz 12 24504164 kB

HF n Intel(R) Xeon(R) @ 2.70GHz 12 24504164 kB

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-24-2019 04:57 AM

Your join doesn't have a field to join on, such as the host name of your HFs.

Even better, don't use join if all you want is to filter one search by another search:

generating search for your hardware stuff [search for your HFs | dedup hostname | table hostname | rename hostname as host]
| rex, extract, table, whatever

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-24-2019 11:20 AM

The easiest way (AND FREE) is to enable platform instrumentation which will start populating the _introspection index (disabled by default) by following these steps:
http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ConfigurePIF

Then search like this:

index="_introspection" AND sourcetype="splunk_resource_usage"

Here are some other ways, too:
https://answers.splunk.com/answers/423998/is-there-an-easy-way-to-get-resource-usage-per-spl.html

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-24-2019 04:57 AM

Your join doesn't have a field to join on, such as the host name of your HFs.

Even better, don't use join if all you want is to filter one search by another search:

generating search for your hardware stuff [search for your HFs | dedup hostname | table hostname | rename hostname as host]
| rex, extract, table, whatever
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...