- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- changing perfmon.conf value in inputs.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to show the CPU util average and maximum via perfmon.conf file. Is that possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
If you want to show CPU Utilization avg and max you will need to gather gather stats using inputs.conf or perfmon.conf and create search to display information.
Keep in mind inputs.conf and permfmon.conf are used to defined your sources and collection intervals. The search language is where you preform statistics on your data.
Below is just an example.
#inputs.conf entry for Windows Permon counters for all Proccessor instances and counters
[perfmon://Processor]
counters = *
disabled = 0
instances = *
object = Processor
#search
index= source="Perfmon:Processor" _Total |bucket _time span=30m | where like(counter,"% Processor Time")| stats mean(Value) as "%cpuMean", max(Value) as "%cpuMax", stdev(Value) as "%cpu95th" by host
Hope this helps or gets you started. Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
If you want to show CPU Utilization avg and max you will need to gather gather stats using inputs.conf or perfmon.conf and create search to display information.
Keep in mind inputs.conf and permfmon.conf are used to defined your sources and collection intervals. The search language is where you preform statistics on your data.
Below is just an example.
#inputs.conf entry for Windows Permon counters for all Proccessor instances and counters
[perfmon://Processor]
counters = *
disabled = 0
instances = *
object = Processor
#search
index= source="Perfmon:Processor" _Total |bucket _time span=30m | where like(counter,"% Processor Time")| stats mean(Value) as "%cpuMean", max(Value) as "%cpuMax", stdev(Value) as "%cpu95th" by host
Hope this helps or gets you started. Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Splunk_U, I don't you done enough reading. I recommend reading Exploring Splunk: SEARCH PROCESSING LANGUAGE (SPL)
PRIMER AND COOKBOOK. Here is a search that does exactly what you want.
index=perfmon host=fozzie AND (sourcetype="Perfmon:LogicalDisk" OR sourcetype="Perfmon:Processor") AND _Total AND ("Disk Write Bytes/sec" OR "% Processor Time") | fields _time, host, instance, counter, Value | timechart span=1m avg(Value) by counter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you actually read any tutorials? What is wrong with a search like (the fieldnames are madeup, this is an illustration):
counter=cpu OR counter=read | stats avg(load) avg(read) by host .... ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I want is megring two search query with out using JOIN. One query is retrieveing the average and peak CPU tilization. Another query is retrieveing average and peak read Req/ sec. As they are using different counters and objects I can not make them together in a single searcj query. Can you help me out???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The answer is yes you can added multiple counters and instances per stanza; however, I believe you can only add one object per stanza (try playing with settings and the documentation is really excellent). Though you should logiclly break out inputs in your inputs.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I meant to stay with oout adding another stanza ia it possible to retrieve the value of another counter for this particular source type?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Splunk_U, I am sorry I don't think i understand your question. Simply add another perfmon stanza and modify your search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What should I do if I want to use another counter with "% Processor Time"...how to retrieve the Value for "% Processor Time"??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, have a look at;
http://docs.splunk.com/Documentation/Splunk/latest/Data/Real-timeWindowsperformancemonitoring
Remember that whatever counter you read in, you can then use the stats command to run statistical analysis of the results such as AVG, MAX or 95th
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have gone through it. But no where it written that how to add data for CPU usage. Can you please help me out!!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
