I need to create an alert which is if in a 10 period of time to see if memory percentage of the host is over 90%. Here is what I have when I search for sourcetype="Perfmon:Available Memory" which is the only sourcetype I have:
04/21/2017 00:20:59.143 +0200
collection="Available Memory"
object=Memory
counter="Available Bytes"
instance=0
Value=992362496
The search that i do is as below:
earliest=-10m@m latest=@m index="my-live-srv" sourcetype="Perfmon:Available Memory"|stats avg(Value) as AvgValue_Last10m count by host | eval AvgValue_Last10mGB = round(((AvgValue_Last10m/1024)/1024)/1024 ,2)| where AvgValue_Last10mGB >= 90| fields - count
so here the value is in byte? How can I make it as percentage?
@sonila... You would need to know the Total Physical Memory on the machine you are trying to monitor in order to calculate the %Available Megabyte. You can instead use % Committed Bytes in Use performance counter, which indicates Virtual Memory in Use and should not be >80% or something as per your use case.
@sonila... You would need to know the Total Physical Memory on the machine you are trying to monitor in order to calculate the %Available Megabyte. You can instead use % Committed Bytes in Use performance counter, which indicates Virtual Memory in Use and should not be >80% or something as per your use case.
@sonila
Voting up @niketnilay comment, this is the right way to go and IMHO should also be the answer to your question and not only a comment
@sonia , i have converted my comment to answer. Please accept if this helped.
I dont have % Committed Bytes in Use as a counter
If you do not have % Committed Bytes in Use memory performance counter, you or Splunk Admin would need to enable it on the server/s being monitored.
Clearly you are using Perfmon for measuring your Windows Server performance. The current inputs.conf which is sending Perfmon:Available Memory counter needs to be configured to forward
% Committed Bytes in Use as well.
Refer to following documentations on Performance Counters(You can also check out Performance Counters on Microsoft site for complete details):
http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Performance_Monitor
If you have limited number of Windows servers(hosts) being monitored and you/your admin can not enable the % Committed Bytes in Use similar to Available Memory performance counter then you would need to maintain a lookup table or KV Store with Total Memory per server and use the approach that adonio has provided.
hi sonila,
i guess percentage is determined against the total memory the host has. one may think each host will have different amount of memory but lets assume all machines has memory value of 10
here is a search that will do it based on your search.
earliest=-10m@m latest=@m index="my-live-srv" sourcetype="Perfmon:Available Memory"
|stats avg(Value) as AvgValue_Last10m host
| eval AvgValue_Last10mGB = round(((AvgValue_Last10m/1024)/1024)/1024 ,2)
| eval myMem = 10
| eval memPCT = AvgValue_Last10mGB/10*100
| table host memPCT
| where memPCT > 90
hope it helps
Thank you. It is very helpful but I dont know the amount of all machines. Do I really need to make an assumption?