Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I subtotal processor utilization?

NickJLange
Explorer
‎04-10-2016 09:09 AM

Disclaimer: I'm not saying this particular example is useful analysis - I'm just not sure how to think about solving a problem like this in Splunk properly.

I have thousands of events of Zabbix Data where socket-wide data points are normalized into individual events. i.e. system.cpu.util[socket,core,type] across heterogeneous hardware configurations (i.e. # of sockets or # of cores are different).
I want to understand the distribution of the load across a socket by machine modeltype to ensure it matches up to temperature readings - and then flag outliers (either on temperature or idle cores).

I've seen tricks around extracting the itemKey into named Variables which I think works because the timestamp is exactly the same.... but how do you run stats on variables that might not exist? (i.e. socket 4 or core 20?)

Does any of this make sense?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-06-2016 05:56 PM 
  ... host=hostname |eval socket=if(isnull(socket),"null",socket) |  timechart avg(value) max(value) by socket

AND

  ... host=hostname | eval core=if(isnull(core),"null",core)| timechart avg(value) max(value) by core

should be fine for a host by host basis. Both would work well on a dashboard with a drop down list to select the hostname etc.

 ... |eval socket=if(isnull(socket),"null",socket) | eval core=if(isnull(core),"null",core)| stats avg(value) max(value) by host core socket

The above should be fine for an analyst to select specific time ranges with time picker and see if activity spikes occured, etc.

0 Karma
Reply

NickJLange
Explorer
‎05-08-2016 08:18 AM

Thank you for the helpful suggestion. I'm looking for more aggregate trends across a class of hosts with different underlying hardware models - which sort of precludes individual host analysis with eyeballs...

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-11-2016 02:39 PM

Do provide some sample data.

0 Karma
Reply

NickJLange
Explorer
‎04-17-2016 06:49 AM

It's not very exciting (one row per pseudo-event):

_time,host,itemKey="system.cpu.util[user_utilization,#socket,#core,]",value=int
....
_time,hostN,itemKey="system.cpu.util[user_utilization,#socket,#core,]",value=int

0 Karma
Reply

NickJLange
Explorer
‎04-18-2016 05:27 AM

Currently, the query uses rex to extract the #socket/#core are extracted to new variables via Rex...

0 Karma
Reply

somesoni2
Revered Legend
‎04-18-2016 06:51 AM

What will the field value contains?

0 Karma
Reply

NickJLange
Explorer
‎05-06-2016 08:09 AM

an integer value from 1- 100. representing utilization ... the equiv of /proc/stat

0 Karma
Reply

somesoni2
Revered Legend
‎04-11-2016 08:20 AM

Is list of possible socket/core fixed?

0 Karma
Reply

NickJLange
Explorer
‎04-16-2016 10:54 AM

It is hard to predict the socket/core count... but it is a finite set.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...