Splunk Search

How to edit my alert search to convert Available Memory value from bytes to a percentage?

sonila
Path Finder

I need to create an alert which is if in a 10 period of time to see if memory percentage of the host is over 90%. Here is what I have when I search for sourcetype="Perfmon:Available Memory" which is the only sourcetype I have:
04/21/2017 00:20:59.143 +0200
collection="Available Memory"
object=Memory
counter="Available Bytes"
instance=0
Value=992362496

The search that i do is as below:

earliest=-10m@m latest=@m index="my-live-srv" sourcetype="Perfmon:Available Memory"|stats  avg(Value) as AvgValue_Last10m  count by  host | eval AvgValue_Last10mGB = round(((AvgValue_Last10m/1024)/1024)/1024 ,2)| where AvgValue_Last10mGB >= 90| fields - count

so here the value is in byte? How can I make it as percentage?

0 Karma
1 Solution

niketn
Legend

@sonila... You would need to know the Total Physical Memory on the machine you are trying to monitor in order to calculate the %Available Megabyte. You can instead use % Committed Bytes in Use performance counter, which indicates Virtual Memory in Use and should not be >80% or something as per your use case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@sonila... You would need to know the Total Physical Memory on the machine you are trying to monitor in order to calculate the %Available Megabyte. You can instead use % Committed Bytes in Use performance counter, which indicates Virtual Memory in Use and should not be >80% or something as per your use case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

adonio
Ultra Champion

@sonila
Voting up @niketnilay comment, this is the right way to go and IMHO should also be the answer to your question and not only a comment

0 Karma

niketn
Legend

@sonia , i have converted my comment to answer. Please accept if this helped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sonila
Path Finder

I dont have % Committed Bytes in Use as a counter

0 Karma

niketn
Legend

If you do not have % Committed Bytes in Use memory performance counter, you or Splunk Admin would need to enable it on the server/s being monitored.

Clearly you are using Perfmon for measuring your Windows Server performance. The current inputs.conf which is sending Perfmon:Available Memory counter needs to be configured to forward

% Committed Bytes in Use as well.

Refer to following documentations on Performance Counters(You can also check out Performance Counters on Microsoft site for complete details):

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Performance_Monitor

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsperformance#Collect_performanc...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

If you have limited number of Windows servers(hosts) being monitored and you/your admin can not enable the % Committed Bytes in Use similar to Available Memory performance counter then you would need to maintain a lookup table or KV Store with Total Memory per server and use the approach that adonio has provided.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

adonio
Ultra Champion

hi sonila,
i guess percentage is determined against the total memory the host has. one may think each host will have different amount of memory but lets assume all machines has memory value of 10
here is a search that will do it based on your search.

earliest=-10m@m latest=@m index="my-live-srv" sourcetype="Perfmon:Available Memory"
|stats  avg(Value) as AvgValue_Last10m  host 
| eval AvgValue_Last10mGB = round(((AvgValue_Last10m/1024)/1024)/1024 ,2)
| eval myMem = 10 
| eval memPCT = AvgValue_Last10mGB/10*100
| table host memPCT 
| where memPCT > 90

hope it helps

0 Karma

sonila
Path Finder

Thank you. It is very helpful but I dont know the amount of all machines. Do I really need to make an assumption?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...