Skip to main content
Splunk Lantern

*Nix CPU utilization nearing capacity

Excessive CPU utilization on a host, particularly abnormal or prolonged, is a sign of potential issues with the critical applications running on the host. You want to detect when an application is starved for CPU resources so you can prevent performance degradations or application instability. 

Procedure

Option 1

  1. Ensure that you have installed the Splunk Add-on for Unix and Linux on your Splunk search head, indexer, and the Splunk universal forwarders on the monitored systems. Click here for an example inputs.conf file that can be deployed to the universal forwarder on the *nix host to collect memory utilization data and store the results into a metrics index.
  2. In Splunk Enterprise or Splunk Cloud Platform, run the following search. You can optimize it by specifying an index and adjusting the time range.
| mstats min(cpu_metric.pctIdle) AS Idle WHERE index="<name of *nix metrics index>" AND host="<name of host to check>" span=1m BY host
| eval cpu_utilization=(100 - Idle)
| timechart max(cpu_utilization) AS cpu_utilization BY host

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| mstats min(cpu_metric.pctIdle) AS Idle WHERE index="<name of *nix metrics index>" AND host="<name of host to check>" span=1m BY host Search metrics index(s) where CPU utilization data is being collected and filter down to the desired host(s).
| eval cpu_utilization=(100 - Idle) Convert percent idle to percent utilized for readability.
| timechart max(cpu_utilization) AS cpu_utilization BY host Plot CPU utilization over time.

Next steps

Set up an alert based on this search so you can proactively manage potential stability issues. To alert when a CPU utilization is nearing max capacity, you can configure one of the following two recommendations:

  • Use the SPL from this procedure to configure a Core Splunk alert.
  • Configure the Average CPU Usage vital metric for the Unix/Linux entity type in IT Essentials Work to alert when the CPU Utilization percentage is at or near 100.

Finally, you might be interested in other processes associated with the Maintaining *nix systems use case.

Option 2

  1. Ensure that you have the Splunk OTEL Collector installed on the host you want to monitor.
  2. In Splunk Infrastructure Monitoring, use the following SignalFlow to search the cpu.utilization streaming metric and filter down to the hosts and processes you want to check. 
    A = data('cpu.utilization', filter=filter('host.name', '<name of host to check>')).publish(label='A')

Next steps

To alert when CPU utilization is nearing max capacity for the selected host(s) and process(es), use the SignalFlow from this procedure to configure a detector with an alert condition of "Static Threshold" and alert settings of:

  • Alert when: Above
  • Threshold: 95
  • Trigger sensitivity: Duration
  • Duration: 5m

Finally, you might be interested in other processes associated with the Maintaining *nix systems use case.