All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App/Add-on for Unix and Linux: Why do we sometimes get different results for CPU data between a Splunk search and sar output?

gregbo
Communicator
‎02-25-2016 05:17 AM

I've installed Splunk App for *nix on my Splunk installation, and the add-on on a Linux VM. I want to know if I can trust the data I'm getting in Splunk, so I ran sar on the VM for a few minutes and tried to compare the output with data from Splunk ( sourcetype=cpu). Every once in a while, the data matches very closely, but a lot of other times they don't seem to even be close. Anybody know why?

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-27-2016 10:11 AM

Are you running the same command at the same time? Take a look at cpu.sh, the if [ "x$KERNEL" = "xLinux" ] section

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...