All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Unix and Linux TA cpu.sh output wrong for Micro-partitioned AIX systems

beeman07
Engager
‎06-21-2012 08:33 AM

This isn't so much a question as it is a bug report.

cpu.sh outputs correct information on non-Micro-partitioned AIX servers; but on Micro-partitioned systems with SMT, the sar command adds a new column that invalidates the cpu.sh output.

Column headings from "sar -P ALL 1 1" output on a stand-alone server. This is what cpu.sh expects to see:

11:12:04 cpu %usr %sys %wio %idle physc

Column headings from "sar -P ALL 1 1" on a micro-partitioned system with SMT enabled. Notice the new column:

11:12:02 cpu %usr %sys %wio %idle physc %entc

This difference is addressed in the sar manpage:

Beginning with AIX 5.3, the sar command reports utilization metrics
physc and %entc which are related to Micro-Partitioning and
simultaneous multi-threading environments. These metrics will only be
displayed on Micro-Partitioning and simultaneous multi-threading
environments. physc indicates the number of physical processors
consumed by the partition (in case of system wide utilization) or
logical CPU (if the -P flag is specified) and %entc indicates the
percentage of the allocated entitled capacity (in case of system wide
utilization) or granted entitled capacity (if the -P flag is
specified). When the partition runs in capped mode, the partition
cannot get more capacity than it is allocated. In uncapped mode, the
partition can get more capacity than it is actually allocated. This is
called granted entitled capacity. If the -P flag is specified and there
is unused capacity, sar prints the unused capacity as separate CPU with
cpu id U. Note: The sar command only reports on local activities.

Can this issue get fixed in the official release of the Splunk for Unix and Linux TA app?

(Is there a different way in which I should report this issue?)

Reply

araitz
Splunk Employee
Splunk Employee
‎07-06-2012 11:13 AM

I created issue SPL-53293 for this. We might need your help in verifying it, as I don't think we have a micropartitioned AIX system to test with.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎06-22-2012 07:45 AM

Thanks for the report, I will add this to this list of things that we will consider fixing in the next release of the app.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎06-21-2012 06:41 PM

If you have enterprise support, you can open a support case on this. That is probably a good idea if for no other reason than to get the bug officially filed and triaged.

According to araitz, this app should eventually wind up on github - you could provide a patch then if you have one. See http://blogs.splunk.com/2011/11/07/splunk-for-unix-and-linux-an-update-and-an-introduction/ -- but I just checked and it's not there yet.

Reply

araitz
Splunk Employee
Splunk Employee
‎06-22-2012 07:45 AM

Yeah, someone was supposed to put the app on github but never followed through 😕 I'll keep pushing.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...