EC2 instances with consistently low CPU utilization (overprovisioned) may contribute to excessive or wasted cloud spend. EC2 instances with consistently high CPU utilization (underprovisioned) may experience performance issues associated with CPU resource constraints. You need to be able to easily identify these instances so you can decide what to do with them.
AWS: Cloudwatch data
- Configure the Splunk Add-on for Amazon Web Services.
- Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
index="<AWS index name>" sourcetype="aws:cloudwatch" metric_dimensions="InstanceId=*" metric_name=CPUUtilization | stats sparkline(avg(Average),5m) AS cpu_trend avg(Average) AS avg_cpu perc99(Average) AS p99_cpu BY metric_dimensions | sort p99_cpu
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|index="<AWS index name>" sourcetype="aws:cloudwatch"||Search the index(s) where AWS data is stored filtered to just the AWS Cloudwatch Logs sourcetype.|
|metric_dimensions="InstanceId=*" metric_name=CPUUtilization||Search for the CPU Utilization metric.|
|| stats sparkline(avg(Average),5m) AS cpu_trend avg(Average) AS avg_cpu perc99(Average) AS p99_cpu BY metric_dimensions||
Identify average and max CPU utilization per instance, and add the sparkline function to visualize the CPU trend over time.
To identify underprovisioned instances, add the following line of SPL to this search next:
|| sort p99_cpu||Sort by instances with the lowest CPU utilization first.|
For overprovisioned EC2 instances, use the results from your search to make decisions about resizing and optimizing your cloud environment so you can reduce cost. For underprovisioned EC2 instances, use the results to decide which instances may be candidates for upsizing to ensure workloads run smoothly and without limitations.
You might also want to look at similar searches in our article Managing an Amazon Web Services environment.