Monitoring Splunk

How to get a good measure of load or cpu utilization in windows?

juniormint
Communicator

I would like to generate a plot of cpu utilization over time. I have some permon events coming in that look like

02/11/2014 09:21:04.315
collection=CPU
object=Processor
counter="% Processor Time"
instance=_Total
Value=0.0084302548057690885

and so I can easily enough write the following search

source="perfmon:cpu" | timechart span=15m avg(Value) as CPU

The problem I perceive is that I think permon:cpu is an instantaneous value. If so then the rate at which the agent reports sends updates (or events) sets a minimum detectable load. Basically I'm saying that if I am only getting a cpu event every 5 min, then chances are I would never see a 30sec spike in cpu utilization. I could just up the cpu event rate to someting like 10 sec (to detect 30 sec spikes), but I am wondering if there is another approach that will not involve increasing the number of cpu events dramatically?

Tags (2)
0 Karma

linu1988
Champion

Hello,
You are correct in your approach, but if you want the granular info you need to see the perfmon counter more frequently i.e. the interval needs to be in seconds. And you should not be concerned if there is a CPU spike for a second or two. Monitoring perfmon _total instance per day wont consume much from your license volume.

Second approach is an indirectly get the average value of your perfmon counter using one script. For that you need to collect instantaneous data into csv file using windows data collector and rather than perfmon.conf , in INPUTS.CONF you trigger a script which calculates the value for you and send an average for that 5 mins or whatever interval you want so that you don't loose anything.

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...