Multi-objects performance monitor

sieutruc · ‎08-14-2012

Hello,

I have a question about how to monitor disk performance, but it requires several related object counters at the same instance of time . That means i create one data input for memory object containing:page/s, avg read byte/s, avg write byte/s; and disk object as above:disk bytes/s; % disk read times... with different polling interval for each object. How can i can combine 2 data inputs together in real time search to make an alert if there is a problem ? For example:if there is a disk problem, maybe disk object is full at the same time with burden of data in memory object too, we need counters from 2 objects to analyse such a problem , can you help me ?

tfletcher_splun · ‎08-20-2012

Depends on how you are inputting your data. Say you bring in all of the disk performance data under sourcetype="perf" and every object is tagged in a field in the events as objId=GUID. Say you wanted to alert if two metrics, metric1 and metric2 were above 90 for the same object in a 1 minute interval of time:

sourcetype="perf" | bucket _time span=1m | stats max(metric1) as m1 max(metric2) as m2 by objId, _time | search m1>90 m2>90 | table objId m1 m2 _time

You then schedule this search and set it to alert you if there are more than 0 results.

Multi-objects performance monitor

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes