Splunk Tech Talks
Deep-dives for technical practitioners.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
New Article

Get Monitoring Tricks for All Your *nix Part 2

melissap
Splunk Employee
Splunk Employee
‎06-14-2020 03:34 PM

Watch part two of our *nix TA Tech Talk, Get Monitoring Tricks for All Your *nix Part 2 , where we’re focusing on our technical add-on (TA) for Unix and Linux. This TA for *nix makes management of many data sources—like essential linux log sources–easier. It offers CIM compliant knowledge objects, normalizing your data and providing a unified view across the entire data domain.

 

(view in My Videos)


Tune in to dive a bit deeper into TA for:

  • Tuning your inputs
  • Searching on the fly
  • Building custom visualizations and alerts

Check out our *nix conversations in Splunk Answers community for more!

0 Karma
2 Comments
melissap
Splunk Employee
Splunk Employee
‎07-06-2020 07:05 AM

Hey everyone! We had some great questions during this Tech Talk in June. 

Recapping for all!

Q: Do I need to restart Splunk after making changes to nix config?
A: When making changes from the web configuration gui, changes should be applied to your sever without a restart. However, making changes via the inputs.conf file, or when distributing the inputs.conf to your forwarders, a restart is required. When in doubt, restart Splunk when making an .conf file change.
 
Q: Can I do pctUsed = pctUser %2B pctSystem instead of 100-idle?
A: I would say, 100-idle is better, as it accounts for wait time and nice time.
 
Q: Can I see the query
A: Here's the full query with the baseline: sourcetype=cpu all | eval pctUsed = 100-pctIdle | timechart span=5m avg(pctUsed) as CPU | eval date_hour=strftime(_time,"%H") | join type=left date_hour [| search sourcetype=cpu all earliest=-8d latest=-1d | eval pctUsed=pctIdle | eval date_hour=strftime(_time,"%H") | stats avg(pctUsed) as BASELINE stdev(pctUsed) as stdev by date_hour | eval BASELINE = BASELINE 1.75*stdev | table date_hour,BASELINE ] | table _time,CPU,BASELINE
 
 
0 Karma
melissap
Splunk Employee
Splunk Employee
‎07-06-2020 07:05 AM

Here are all the follow up materials from the webinar. Enjoy!

  • Documentation –

Data Collection

Script Compatibility

Sourcetypes

Deployment

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...