Splunk Search

Transaction or bucket not working for TOP command

Motivator

I am using the top command to see splunkd resource use just like SOS

I would like to see the total CPU and MEMORY use for Splunkd but there are several PID numbers for splunkd.

I can user the transaction command like this
host=MyIndexers sourcetype=top | multikv fields USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY s ELAPSED COMMAND ARGS | search COMMAND=splunkd | transaction _time | timechart span=1m sum(pctCPU) by host

The problem is this isn't too accurate and the timechart span=1m could contain two or no results depending on the sync.

I would also like to device the sum(pctCPU by 8 since I have 8 cores in each box. this would give me an Percent of 100% rather than Percentage of 800%

Any help would be appreciated.

Tags (4)
0 Karma
1 Solution

Legend

Try this, it will be much more efficient than the transaction command and work just as well

host=MyIndexers sourcetype=top 
| multikv fields USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY s ELAPSED COMMAND ARGS 
| search COMMAND=splunkd 
| stats sum(pctCPU) as totalPctCPU sum(pctMEM) as totalPctMEM by host _time
| eval totalPctCPU = totalPctCPU / 8

You can't draw both statistics at once though... so for just one of them:

host=MyIndexers sourcetype=top 
| multikv fields USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY s ELAPSED COMMAND ARGS 
| search COMMAND=splunkd 
| stats sum(pctCPU) as totalPctCPU by host _time
| eval totalPctCPU = totalPctCPU / 8
| timechart span=1m avg(totalPctCPU) as pctCPU by host

View solution in original post

0 Karma

Legend

Try this, it will be much more efficient than the transaction command and work just as well

host=MyIndexers sourcetype=top 
| multikv fields USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY s ELAPSED COMMAND ARGS 
| search COMMAND=splunkd 
| stats sum(pctCPU) as totalPctCPU sum(pctMEM) as totalPctMEM by host _time
| eval totalPctCPU = totalPctCPU / 8

You can't draw both statistics at once though... so for just one of them:

host=MyIndexers sourcetype=top 
| multikv fields USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY s ELAPSED COMMAND ARGS 
| search COMMAND=splunkd 
| stats sum(pctCPU) as totalPctCPU by host _time
| eval totalPctCPU = totalPctCPU / 8
| timechart span=1m avg(totalPctCPU) as pctCPU by host

View solution in original post

0 Karma

Legend

The timechart command computes statistics for every interval, even if there are no events. You could look at the chart or the table.

The stats command doesn't do that. I can't think of a way to generate the 0 rows in the table for stats.

0 Karma

Motivator

This is exactly what I needed thank for both options.

One question if you don't mind. If there is no value I would like to have the value for the "pctCPU" for each server to be 0 this will insure a place holder oven if the CPU for SPlunkd drops to zero. Can you help with that?

0 Karma