Which Linux performance counters to in Log Analytics for monitoring?

Question

I am using the Azure Monitor Agent to collect data from my Linux servers. After transitioning from the Log Analytics Agent, I am facing issues with missing data for my KQL queries.

Specifically, the "Processor()% Processor Time" counter is not pulling data as expected. I had to add custom counters like "\Processor()*" to obtain the data. Additionally, I am not getting the "_Total" instance name for Linux servers, which might be leading to false alerts.

Furthermore, the VMComputer table is no longer available, preventing me from using "PhysicalMemoryMB" for memory utilization alerts. Is there alternative to this?

Please help me resolve these issues and obtain the correct data for my alert mechanisms.

Linux server data

Query we are using ( removed the server details )

Answer 1

Hi Arunprasad K,

Thanks for reaching out to Microsoft Q&A.

• Processor Time Counter on Linux:
  • In Linux systems, performance counters differ from Windows, and the "% Processor Time" counter behaves differently. Since you're missing the "_Total" instance name and the specific processor data, the way performance data is collected needs adjustment. You can try the following:
  • Ensure you have enabled CPU Utilization counters using the Azure Monitor Agent Data Collection Rules (DCR):
    • Look for "\Processor(_Total)\% Processor Time" (in Windows) but in Linux, this can be tracked using "\Processor(*)\% Processor Time" for individual CPU cores.
  • Use custom performance counters such as:
    • \Processor Information(_Total)\% Processor Time for all cores (use this if the "_Total" value is missing).
    • Alternatively, gather system CPU metrics from the Perf table in KQL
      • Perf | where ObjectName == "Processor" and CounterName == "% Processor Time"
    • If "_Total" is not available in Linux, ensure you are querying individual cores using wildcards, e.g., "\Processor(*)\% Processor Time".
• Alternative to VMComputer Table (PhysicalMemoryMB)
  • The VMComputer table is no longer available, but you can use the InsightsMetrics table to pull memory metrics in Linux, such as Physical Memory.
    • For example, to monitor memory utilization, you can use:
      • InsightsMetrics | where Name == "AvailableMemoryBytes" | summarize avg(Val) by bin(TimeGenerated, 1h)
    • Another option is the Perf table, where you can retrieve memory data, such as:
      • Perf | where CounterName == "Available MBytes" | summarize avg(CounterValue) by bin(TimeGenerated, 1h)
• Missing _Total Instance
  • For Linux, you typically won’t find the "_Total" instance. Instead, you will need to aggregate over all instances manually in your KQL query to simulate the "_Total" instance:
    • Perf | where ObjectName == "Processor" and CounterName == "% Processor Time" | summarize avg(CounterValue) by bin(TimeGenerated, 1h)
  If these solutions don’t fully resolve your issues, we can review the specific DCR configuration or explore additional metrics like disk and network utilization

Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.