Monitoring Splunk

best approach to speed access to Linux performance data such as iostat vmstat and so on

ebaileytu
Communicator

We have a vast amount of performance data and I want to make better use of the data by speeding up access to make it easier to query and compare data over the long term. What is the preferred method of data acceleration? I have been moving forward with report acceleration but I want to get feedback on the best practice.

Report Acceleration or Accelerated Data models?

For iostat, we have approx. 1 million results every 5 minutes.

Should I setup an accelerated report for each sourcetype with min max and avg calculated per host or something else? I do not want to get too far into the project and then figure out I am doing it all wrong.

Thanks in advance

0 Karma

gjanders
SplunkTrust
SplunkTrust

Have you looked at the nmon application for Splunk ? NMON Performance Monitor for Unix and Linux Systems ?
https://splunkbase.splunk.com/app/1753/

It does most of what you are trying to do, and it would be easier than trying to build data models and then accelerating them for the information you require (the nmon app has a number of accelerated data models).

ddrillic
Ultra Champion

Please keep in mind that an app for such a purpose exists at - Splunk App for Unix and Linux

Forwarding Linux command outputs to dashboard
says -

alt text

A related documentation at Logging best practices

ebaileytu
Communicator

Already using the Unix Linux TA with a number of extension hence the large data set we already have already have in Splunk. The App for Unix Linux gives some good examples but does not present that metrics we want and it is very slow with large data sets.

0 Karma

sundareshr
Legend

Both are good approaches to improve performance. Report Acceleration is good if all you need is the final report. You cannot benefit from the acceleration if you decide to open the search and make changes. With the data model, on the other hand, you can keep building on it. The third option would be to use Summary Index, I would recommend Accelerated Data Model

I any case, you will need to plan ahead to before your pick your best approach.

Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...