Monitoring Splunk

best approach to speed access to Linux performance data such as iostat vmstat and so on

ebaileytu
Communicator

We have a vast amount of performance data and I want to make better use of the data by speeding up access to make it easier to query and compare data over the long term. What is the preferred method of data acceleration? I have been moving forward with report acceleration but I want to get feedback on the best practice.

Report Acceleration or Accelerated Data models?

For iostat, we have approx. 1 million results every 5 minutes.

Should I setup an accelerated report for each sourcetype with min max and avg calculated per host or something else? I do not want to get too far into the project and then figure out I am doing it all wrong.

Thanks in advance

0 Karma

gjanders
SplunkTrust
SplunkTrust

Have you looked at the nmon application for Splunk ? NMON Performance Monitor for Unix and Linux Systems ?
https://splunkbase.splunk.com/app/1753/

It does most of what you are trying to do, and it would be easier than trying to build data models and then accelerating them for the information you require (the nmon app has a number of accelerated data models).

ddrillic
Ultra Champion

Please keep in mind that an app for such a purpose exists at - Splunk App for Unix and Linux

Forwarding Linux command outputs to dashboard
says -

alt text

A related documentation at Logging best practices

ebaileytu
Communicator

Already using the Unix Linux TA with a number of extension hence the large data set we already have already have in Splunk. The App for Unix Linux gives some good examples but does not present that metrics we want and it is very slow with large data sets.

0 Karma

sundareshr
Legend

Both are good approaches to improve performance. Report Acceleration is good if all you need is the final report. You cannot benefit from the acceleration if you decide to open the search and make changes. With the data model, on the other hand, you can keep building on it. The third option would be to use Summary Index, I would recommend Accelerated Data Model

I any case, you will need to plan ahead to before your pick your best approach.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...