Hi Splunkers,
I am still a beginner, trying to write a query to fetch splunk heavy forwarder's cpu, memory usage and other hardware related stuff. With the below query i am not able to fetch the correct values for Heavy forwarders(see below results). So, could anyone please help me to resolve this issue.
Query: internal
host=spi source="/opt/splunk/var/log/splunk/metrics.log" fwdType=full | dedup hostname | table hostname | join type=left [search index = * sourcetype=nix:hardware host=* | rex mode=sed "s/\s\s+/=/g" | extract kvdelim="=" pairdelim="\n" ] |table hostname,CPU_TYPE,CPU_COUNT,MEMORY_REAL
Results: Same values being replicated for all Hfs which is incorrect
Host CPU_TYPE CPU_COUNT MEMORY_REAL
HF 1 Intel(R) Xeon(R) @ 2.70GHz 12 24504164 kB
HF 2 Intel(R) Xeon(R) @2.70GHz 12 24504164 kB
HF 3 Intel(R) Xeon(R) @2.70GHz 12 24504164 kB
HF n Intel(R) Xeon(R) @ 2.70GHz 12 24504164 kB
Your join doesn't have a field to join on, such as the host name of your HFs.
Even better, don't use join if all you want is to filter one search by another search:
generating search for your hardware stuff [search for your HFs | dedup hostname | table hostname | rename hostname as host]
| rex, extract, table, whatever
The easiest way (AND FREE) is to enable platform instrumentation
which will start populating the _introspection
index (disabled by default) by following these steps:
http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ConfigurePIF
Then search like this:
index="_introspection" AND sourcetype="splunk_resource_usage"
Here are some other ways, too:
https://answers.splunk.com/answers/423998/is-there-an-easy-way-to-get-resource-usage-per-spl.html
Your join doesn't have a field to join on, such as the host name of your HFs.
Even better, don't use join if all you want is to filter one search by another search:
generating search for your hardware stuff [search for your HFs | dedup hostname | table hostname | rename hostname as host]
| rex, extract, table, whatever