Watch part two of our *nix TA Tech Talk, Get Monitoring Tricks for All Your *nix Part 2 , where we’re focusing on our technical add-on (TA) for Unix and Linux. This TA for *nix makes management of many data sources—like essential linux log sources–easier. It offers CIM compliant knowledge objects, normalizing your data and providing a unified view across the entire data domain.
Get Monitoring Tricks for All Your *nix Part 2
Video Player is loading.
Current Time 0:00
/
Duration 0:00
Loaded: 0%
0:00
Stream Type LIVE
Remaining Time -0:00
1x
Chapters
descriptions off, selected
captions settings, opens captions settings dialog
captions off, selected
This is a modal window.
Beginning of dialog window. Escape will cancel and close the window.
End of dialog window.
This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.
Hey everyone! We had some great questions during this Tech Talk in June.
Recapping for all!
Q: Do I need to restart Splunk after making changes to nix config?
A: When making changes from the web configuration gui, changes should be applied to your sever without a restart. However, making changes via the inputs.conf file, or when distributing the inputs.conf to your forwarders, a restart is required. When in doubt, restart Splunk when making an .conf file change.
Q: Can I do pctUsed = pctUser %2B pctSystem instead of 100-idle?
A: I would say, 100-idle is better, as it accounts for wait time and nice time.
Q: Can I see the query
A: Here's the full query with the baseline: sourcetype=cpu all | eval pctUsed = 100-pctIdle | timechart span=5m avg(pctUsed) as CPU | eval date_hour=strftime(_time,"%H") | join type=left date_hour [| search sourcetype=cpu all earliest=-8d latest=-1d | eval pctUsed=pctIdle | eval date_hour=strftime(_time,"%H") | stats avg(pctUsed) as BASELINE stdev(pctUsed) as stdev by date_hour | eval BASELINE = BASELINE 1.75*stdev | table date_hour,BASELINE ] | table _time,CPU,BASELINE
