Monitoring Splunk

How to Monitor CPU usage

vamsi92
Explorer

I want to see my cpu usage statistics,
i tried using search "host="CARDS_QA_" (sourcetype=cpu OR source=WMI:CPUTime)"
and
host="CARDS_QA_
" (sourcetype=cpu)
But my search is generating no results.
i want to continuoulsy moniter cpu usage and want to report if it is more than 80% for 5-10 seconds.
Can you please edit and update my search code.
I have 2 splunk instances one on windows and one on linux
And please specify will there be any difference in search based on OS.

0 Karma

ddrillic
Ultra Champion

I would start with -
index="_introspection" source="/opt/splunk/var/log/introspection/resource_usage.log"

It shows the cpu usage...

0 Karma

vamsi92
Explorer

Thank you DDrillic,
But i want to monitor not only splunk utilization but i want to monitor normal overall cpu usage.
Like If some 5 processes are running there may be chance cpu usage will be above 60% or 80% then splunk should be able to detect that, So i am looking for that search string.
So kindly help me out,
Thanks in advance

0 Karma

ddrillic
Ultra Champion

Very interesting.

http://docs.splunk.com/Documentation/Splunk/6.3.1/Troubleshooting/WhatSplunklogsaboutitself#Introspe... speaks about it and it says -

"It gathers data about your Splunk instance and operating system and writes it to log files that you can search later to aid in troubleshooting a variety of problems."

So, I'm not sure whether and how the overall system's data is captured.

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi vamsi92, I'd try to find exactly how you are getting the CPU metrics into Splunk. Take a look at the inputs configuration for the host. Maybe you are using the Splunk_TA_Windows app? I'd expect you are getting CPU metrics in through WMI in that case.

If the inputs are setup correctly, then it is a matter of making sure that all the data is getting from the host to the Splunk Index. I'd check if any events at all are making it in from that host. Do you collect WinEventLog? Check that you can find that.

At that point it's a matter of ensuring that you have access to whatever index the CPU metrics are being stored in. This would be a Splunk administrator task.

Please let me know if this helps!

0 Karma

vamsi92
Explorer

Hey thank you muebel, But is it absolutely necessary to use splunk windows app. Because task at hand is to measure overall cpu usage which is combined effect from all the processes running on a linux system and similarly on a windows system (each has splunk installed on it of corresponding OS version)
So is it possible through a search string which can access the Cpu logs and get the result when cpu usage >60 or >80.
Can you please help me out with that.
Thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...