Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- *nix addon doesn't index CPU number
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've installed the Splunk_TA_nix addon on my indexer.
It brings in the cpu statistics but only as a dump.
The raw data looks like this:
2.13 0.00 1.51 0.00 0.00 96.36
0.00 0.00 1.00 0.00 0.00 99.00
2.02 0.00 3.03 0.00 0.00 94.95
5.00 0.00 3.00 0.00 0.00 92.00
0.00 0.00 0.00 0.00 0.00 100.00
8.00 0.00 4.00 0.00 0.00 88.00
1.00 0.00 1.00 0.00 0.00 98.00
1.00 0.00 0.00 0.00 0.00 99.00
0.00 0.00 0.00 0.00 0.00 100.00
But when I run /opt/splunk/etc/apps/Splunk_TA_nix/bin/cpu.sh I get this:
CPU pctUser pctNice pctSystem pctIowait pctIdle
all 4.01 0.00 1.25 0.00 94.74
0 1.00 0.00 2.00 0.00 97.00
1 2.00 0.00 0.00 0.00 98.00
2 3.03 0.00 0.00 0.00 96.97
3 0.00 0.00 0.00 0.00 100.00
4 1.00 0.00 1.00 0.00 98.00
5 20.79 0.00 1.98 0.00 77.23
6 2.00 0.00 4.00 0.00 94.00
7 0.00 0.00 1.00 0.00 99.00
Where is the CPU number (and "all") has gone?
I haven't changed anything in the files, only enabled cpu monitoring.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the solution: http://docs.splunk.com/Documentation/UnixAddOn/5.2.4/User/Releasenotes
Thanks for the help mayurr98!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the solution: http://docs.splunk.com/Documentation/UnixAddOn/5.2.4/User/Releasenotes
Thanks for the help mayurr98!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@encoretickets, If your problem is resolved, please accept the answer to help future readers.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your issue exactly ? Are you able to see logs with the appropriate sourcetype? Search for sourcetype=cpu if you are getting logs then the app is working fine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't search for the "all" CPU metrics. Or in fact for any given core because the core id is missing from the index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=os sourcetype=cpu CPU=all
Are you getting results for this search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope, nothing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
refer this link
https://answers.splunk.com/answers/152670/why-is-cpu-sh-script-being-indexed-incorrectly-in-splunk-a...
Also for enabling the input you should use best practices i.e. refer below link
https://docs.splunk.com/Documentation/UnixAddOn/5.2.4/User/Enabledataandscriptedinputs#Enable_the_da...
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
