- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Query to get average memory usage in linux
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need help in finding the average memory usage of 100+ linux server. we dont have permon in splunk so i cant use that to get the memory data.
We have 1000s of server. For CPU , I somehow found below queries . But couldn't get one for memory usage.
Average CPU :
index=os host=hostname sourcetype=cpu | multikv | search CPU="all" | eval pctCPU=100-pctIdle | stats avg(pctCPU) by host
For max CPU :
index=os sourcetype=top host=hostname |stats max(pctCPU) AS maxCPU by _time, PID, COMMAND|sort -maxCPU
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ultimately you need the memory usage information to appear in a log on the server so that Splunk can work with it. If you don't have a log with this information, then you will have to generate it yourself, either by installing a monitoring software or by running a scripted input.
One potential solution would be to run a scripted input on each linux server, which indexes the result of the "free -m" command. (perhaps with a grep to get a single line)
To do this, make an app or modify an app that is deployed to your linux servers.
Here is the stanza for the inputs.conf of the app: (insert app name, index, interval, and sourcetype name below)
[script://$SPLUNK_HOME/etc/apps/<appName>/bin/getmem.sh]
disabled = false
index = ????
interval = 60
sourcetype = ????Here is the code for the script: (save to $SPLUNK_HOME/etc/apps/<appname>/bin/getmem.sh
#!/bin/bash
free -m | grep "Mem"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ultimately you need the memory usage information to appear in a log on the server so that Splunk can work with it. If you don't have a log with this information, then you will have to generate it yourself, either by installing a monitoring software or by running a scripted input.
One potential solution would be to run a scripted input on each linux server, which indexes the result of the "free -m" command. (perhaps with a grep to get a single line)
To do this, make an app or modify an app that is deployed to your linux servers.
Here is the stanza for the inputs.conf of the app: (insert app name, index, interval, and sourcetype name below)
[script://$SPLUNK_HOME/etc/apps/<appName>/bin/getmem.sh]
disabled = false
index = ????
interval = 60
sourcetype = ????Here is the code for the script: (save to $SPLUNK_HOME/etc/apps/<appname>/bin/getmem.sh
#!/bin/bash
free -m | grep "Mem"
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
