I have installed universal forwarder installed and it sends data to splunk indexer.When I check CPU by Host, I see chart called "Load Factor by Host".Can you explain me the meaning of that chart"Load Factor by Host" and also can you recommend me link where I can find more details.
The Load is the system load, 1 mintes average. It's parsed from the uptime in Linux.
$ uptime
00:11:39 up 42 days, 7:40, 3 users, load average: 2.29, 2.96, 3.43
In this case, the value should be 2.29.
As you might know, the system load is based on number of precess ready to run in CPU and number of processes with I/O wait status in kernel. Because this number include all the CPU cores. If you have 8 core CPUs, this value is generally higher than 4 core CPUs.
The search query for the chart is;
index=os sourcetype=vmstat host=$host$ | multikv fields loadAvg1mi | timechart avg(loadAvg1mi) by host
where $host$
is your choice in the Host pull-down. loadAvg1mi is the same as system load 1minutes average.
Unfortunately I could not find any document explaining about this. I checked the xml file and macro.conf, and the shell script to understand it.