- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Transaction or bucket not working for TOP comm...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using the top command to see splunkd resource use just like SOS
I would like to see the total CPU and MEMORY use for Splunkd but there are several PID numbers for splunkd.
I can user the transaction command like this
host=MyIndexers sourcetype=top | multikv fields USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY s ELAPSED COMMAND ARGS | search COMMAND=splunkd | transaction _time | timechart span=1m sum(pctCPU) by host
The problem is this isn't too accurate and the timechart span=1m could contain two or no results depending on the sync.
I would also like to device the sum(pctCPU by 8 since I have 8 cores in each box. this would give me an Percent of 100% rather than Percentage of 800%
Any help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this, it will be much more efficient than the transaction command and work just as well
host=MyIndexers sourcetype=top
| multikv fields USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY s ELAPSED COMMAND ARGS
| search COMMAND=splunkd
| stats sum(pctCPU) as totalPctCPU sum(pctMEM) as totalPctMEM by host _time
| eval totalPctCPU = totalPctCPU / 8
You can't draw both statistics at once though... so for just one of them:
host=MyIndexers sourcetype=top
| multikv fields USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY s ELAPSED COMMAND ARGS
| search COMMAND=splunkd
| stats sum(pctCPU) as totalPctCPU by host _time
| eval totalPctCPU = totalPctCPU / 8
| timechart span=1m avg(totalPctCPU) as pctCPU by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this, it will be much more efficient than the transaction command and work just as well
host=MyIndexers sourcetype=top
| multikv fields USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY s ELAPSED COMMAND ARGS
| search COMMAND=splunkd
| stats sum(pctCPU) as totalPctCPU sum(pctMEM) as totalPctMEM by host _time
| eval totalPctCPU = totalPctCPU / 8
You can't draw both statistics at once though... so for just one of them:
host=MyIndexers sourcetype=top
| multikv fields USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY s ELAPSED COMMAND ARGS
| search COMMAND=splunkd
| stats sum(pctCPU) as totalPctCPU by host _time
| eval totalPctCPU = totalPctCPU / 8
| timechart span=1m avg(totalPctCPU) as pctCPU by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The timechart command computes statistics for every interval, even if there are no events. You could look at the chart or the table.
The stats command doesn't do that. I can't think of a way to generate the 0 rows in the table for stats.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly what I needed thank for both options.
One question if you don't mind. If there is no value I would like to have the value for the "pctCPU" for each server to be 0 this will insure a place holder oven if the CPU for SPlunkd drops to zero. Can you help with that?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
