Monitoring Splunk

How to Monitor CPU usage

vamsi92
Explorer

I want to see my cpu usage statistics,
i tried using search "host="CARDS_QA_" (sourcetype=cpu OR source=WMI:CPUTime)"
and
host="CARDS_QA_
" (sourcetype=cpu)
But my search is generating no results.
i want to continuoulsy moniter cpu usage and want to report if it is more than 80% for 5-10 seconds.
Can you please edit and update my search code.
I have 2 splunk instances one on windows and one on linux
And please specify will there be any difference in search based on OS.

0 Karma

ddrillic
Ultra Champion

I would start with -
index="_introspection" source="/opt/splunk/var/log/introspection/resource_usage.log"

It shows the cpu usage...

0 Karma

vamsi92
Explorer

Thank you DDrillic,
But i want to monitor not only splunk utilization but i want to monitor normal overall cpu usage.
Like If some 5 processes are running there may be chance cpu usage will be above 60% or 80% then splunk should be able to detect that, So i am looking for that search string.
So kindly help me out,
Thanks in advance

0 Karma

ddrillic
Ultra Champion

Very interesting.

http://docs.splunk.com/Documentation/Splunk/6.3.1/Troubleshooting/WhatSplunklogsaboutitself#Introspe... speaks about it and it says -

"It gathers data about your Splunk instance and operating system and writes it to log files that you can search later to aid in troubleshooting a variety of problems."

So, I'm not sure whether and how the overall system's data is captured.

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi vamsi92, I'd try to find exactly how you are getting the CPU metrics into Splunk. Take a look at the inputs configuration for the host. Maybe you are using the Splunk_TA_Windows app? I'd expect you are getting CPU metrics in through WMI in that case.

If the inputs are setup correctly, then it is a matter of making sure that all the data is getting from the host to the Splunk Index. I'd check if any events at all are making it in from that host. Do you collect WinEventLog? Check that you can find that.

At that point it's a matter of ensuring that you have access to whatever index the CPU metrics are being stored in. This would be a Splunk administrator task.

Please let me know if this helps!

0 Karma

vamsi92
Explorer

Hey thank you muebel, But is it absolutely necessary to use splunk windows app. Because task at hand is to measure overall cpu usage which is combined effect from all the processes running on a linux system and similarly on a windows system (each has splunk installed on it of corresponding OS version)
So is it possible through a search string which can access the Cpu logs and get the result when cpu usage >60 or >80.
Can you please help me out with that.
Thanks in advance.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!