|
On a *NIX monolithic search-head/indexer, what is the best method to determine Splunk's CPU load by search at a point in time (no need to calculate avg, etc.)? We are looking to build a report to display something like this: Cheers, Ron |
|
Thanks, here's the solution: Cheers, Ron Nice answer!
(18 Nov '11, 07:45)
lguinn ♦
|
|
If you really wanted to see CPU usage at a point in time, you could collect the data via the *NIX ps command. Each search in Splunk runs as a separate process. You could even correlate the CPU usage back to the specific search using the search id, which appears in the process information. The *NIX app has a script that runs the ps command and indexes its output. You just need to enable it - and then write the searches to analyze the data. Another approach, if you want to look at CPU usage over time: Splunk keeps information about each search that it runs in the _audit index. You can see some of the statistics that can be computed, if you are logged into Splunk as an admin. From the Search app, choose the Status menu (between Search and Views in the menu bar). Then choose "Search Activity" and "Search Details." This dashboard will show the most common and the most expensive searches. |
