Monitoring Splunk

best approach to speed access to Linux performance data such as iostat vmstat and so on


We have a vast amount of performance data and I want to make better use of the data by speeding up access to make it easier to query and compare data over the long term. What is the preferred method of data acceleration? I have been moving forward with report acceleration but I want to get feedback on the best practice.

Report Acceleration or Accelerated Data models?

For iostat, we have approx. 1 million results every 5 minutes.

Should I setup an accelerated report for each sourcetype with min max and avg calculated per host or something else? I do not want to get too far into the project and then figure out I am doing it all wrong.

Thanks in advance

0 Karma


Have you looked at the nmon application for Splunk ? NMON Performance Monitor for Unix and Linux Systems ?

It does most of what you are trying to do, and it would be easier than trying to build data models and then accelerating them for the information you require (the nmon app has a number of accelerated data models).

Ultra Champion

Please keep in mind that an app for such a purpose exists at - Splunk App for Unix and Linux

Forwarding Linux command outputs to dashboard
says -

alt text

A related documentation at Logging best practices


Already using the Unix Linux TA with a number of extension hence the large data set we already have already have in Splunk. The App for Unix Linux gives some good examples but does not present that metrics we want and it is very slow with large data sets.

0 Karma


Both are good approaches to improve performance. Report Acceleration is good if all you need is the final report. You cannot benefit from the acceleration if you decide to open the search and make changes. With the data model, on the other hand, you can keep building on it. The third option would be to use Summary Index, I would recommend Accelerated Data Model

I any case, you will need to plan ahead to before your pick your best approach.

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...