Monitoring Splunk
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query to get average memory usage in linux

AbdurRasheed
Engager
‎03-04-2021 05:10 PM

Hi,

I need help in finding the average memory usage of 100+ linux server. we dont have permon in splunk so i cant use that to get the memory data.

We have 1000s of server. For CPU , I somehow found below queries . But couldn't get one for memory usage.

Average CPU :

index=os host=hostname sourcetype=cpu | multikv | search CPU="all" | eval pctCPU=100-pctIdle | stats avg(pctCPU) by host

For max CPU :

index=os sourcetype=top host=hostname |stats max(pctCPU) AS maxCPU by _time, PID, COMMAND|sort -maxCPU

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dave_null
Path Finder
‎03-04-2021 11:29 PM

Ultimately you need the memory usage information to appear in a log on the server so that Splunk can work with it. If you don't have a log with this information, then you will have to generate it yourself, either by installing a monitoring software or by running a scripted input.

One potential solution would be to run a scripted input on each linux server, which indexes the result of the "free -m" command. (perhaps with a grep to get a single line)

To do this, make an app or modify an app that is deployed to your linux servers. 

Here is the stanza for the inputs.conf of the app: (insert app name, index, interval, and sourcetype name below)

[script://$SPLUNK_HOME/etc/apps/<appName>/bin/getmem.sh]
disabled = false
index = ????
interval = 60
sourcetype = ????

Here is the code for the script: (save to $SPLUNK_HOME/etc/apps/<appname>/bin/getmem.sh 

#!/bin/bash
free -m | grep "Mem"

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dave_null
Path Finder
‎03-04-2021 11:29 PM

Ultimately you need the memory usage information to appear in a log on the server so that Splunk can work with it. If you don't have a log with this information, then you will have to generate it yourself, either by installing a monitoring software or by running a scripted input.

One potential solution would be to run a scripted input on each linux server, which indexes the result of the "free -m" command. (perhaps with a grep to get a single line)

To do this, make an app or modify an app that is deployed to your linux servers. 

Here is the stanza for the inputs.conf of the app: (insert app name, index, interval, and sourcetype name below)

[script://$SPLUNK_HOME/etc/apps/<appName>/bin/getmem.sh]
disabled = false
index = ????
interval = 60
sourcetype = ????

Here is the code for the script: (save to $SPLUNK_HOME/etc/apps/<appname>/bin/getmem.sh 

#!/bin/bash
free -m | grep "Mem"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top