Sysstat Package, sar, sadf, iostat, mpstat, pidstat…

By | January 1, 2014

Starts with #sar –options: Dare not try “# sar [-A]”…try and see!!! This will throw at you a multiscreen info and you’ll get lost…hmm…because it contains everything so let’s rather look for our specific need.

SYNTAX: to recap the syntax.

For live and running stats For analysis of data stored, by sa1, for today until the current time. For analysis of data for a specific date
# sar [option] <interval in seconds> <count> # sar [option] # sar [option] -f /path/to/log/file/saXX
# sar -u 1 3 # sar -u      or   # sar # sar -u – f /var/log/sa/sa06

Please note that all the examples below “[]” means optional “< >” means compulsory. And these are few examples only. We can try any valid combination as per above matrix.


This gives CPU statistics [All] is optional.

Free & Used Memory statistics.

#sar -P [<ALL|”the CPU core number>] [<interval in seconds> [<count>]].

Overall I/O statistics: tps- Transactions per second (this includes both read and write), rtps – Read transactions per second, wtps – Write transactions per second, bread/s – Bytes read per second & bwrtn/s– Bytes written per second.

Individual Block Device I/O Activities (sar -d: device level) : To identify the activities by the individual block devices (i.e a specific mount point, or LUN, or partition), use “sar -d”. The device name (DEV column) can display the actual device name (for example: sda, sda1, sdb1 etc.,), if you use the -p option (pretty print) as shown above. Are you amazed here? …I am!

Swap Statistics.

Ha ha ha…This is what we use most…Reports run queue and load average (sar -q): This reports the run queue size and load average. Very obvious runq-sz: run queue size, process list size, load average for 1 minute, load average for 5 minutes and load average for 15 minutes.

Report network statistics (sar -n): For example: number of packets received (transmitted) through the network card, statistics of packet failure etc.,

DEV – Displays network devices vital statistics for eth0,eth1, etc;

EDEV – Displays network devices failure statistics.

NFS – Displays NFS client activities.

NFSD – Displays NFS server activities

SOCK – Displays sockets in use for IPv4.

IP – Displays IPv4 network traffic

EIP – Displays IPv4 network errors

ICMP – Displays ICMPv4 network traffic

EICMP – Displays ICMPv4 network errors.

TCP – Displays TCPv4 network traffic

ETCP – Displays TCPv4 network errors

UDP – Displays UDPv4 network traffic

SOCK6, IP6, EIP6, ICMP6, UDP6 are for IPv6

ALL – This displays all of the above informatian. The output will be very long.

Most interesting, [o] is used to send output to any file that can be read in ASCII format.

Analyze data from a specific period of the day. -s: start, -e: end. And I end it here too.

Don’t get tired yet?..Let’s Continue & enrich on “sysstat Package”. As we finished with options, let’s talk about some other “commands/utilities” of this package. Although I’m bugged to talk at length, but I’ll put the other commands in very brief, leaving it for you to ponder. So, we have known sar, sadc, sa1 & sa2. Let’s take a closer look at sa2. Current settings in “/etc/cron.d/sysstat” makes sa1 busy in collecting the data all the time every 10 minutes and sa2 is summarizing the collected data (not new but already collected data by sa1) for whole day at close to midnight and logs it to /var/log/sa/sarxx file in ASCII format. The A option with sa2 makes it summarize everything.

Manually collecting data in ASCII format: Can we pull it for today, before it runs on its own @midnight(53 23 * * * ), if required? Let’s check.

Yes! Box#1: we ran sa2 manually, without any option means it only summarizes for us (1) CPU usage (2) from the beginning of current date (since system is running) till the time of hitting the command (3) writes the data to the file /var/log/sa/sar30(30=date when command ran). Confused here?…it’s not yet midnight…look at uptime…so cron didn’t do this job which is set to run @23 hours 53 minutes. Box#2: it created file sar30, by default. Box#3: system start time. Box#4: noticeably the interval of data collection is 10 minutes and this comes as set for sa1 in cron file. Hence it confirms sa2 is only summarizing the data in ASCII format and is not collecting it. NOT CONVINCED ? Stop cronjob for sa1 in the cron settings and see it yourself!

NOTE: By default, the logfiles will be date-stamped with the current day of the month, so the logs will rotate automatically. The take away point, from above illustration is we hardly need sa2 if we know how to run the command #sar, running sa1 is enough. Or else simply # cat|less|grep /the/sarxx/file to know the summary, if sa2 has been doing it’s job.

Other utilities of “Sysstat Package” (Very Brief).

Sadf performs all tasks that sar does and additionally it is capable of generating data in different formats (CSV, XML, etc.). The benefit is it can be used in conjunction with other commands like “mail” to name. sadf uses its own flags with [-option] (-x is for xml format in the above slide) and then uses sar’s any option(s) too with [- –  -sar_option] (as in the box above).

Does #iostat remind you of “# sar -b”….I/O stats ?

#mpstat is similar to what you get by “#sar -u”!

PIDSTAT is good to bring to you reports based on process ID



nfsiostat displays NFS I/O statistics & cifsiostat generates CIFS statistics. Cheers!

Syntax revised.

 For Live data (pulled fresh)

Todays data till the point of running command

For analysis of data for a specific date

# sar [option] <interval in seconds> <count>

# sar [option]

# sar [option] -f /path/to/log/file/saXX

# sar -u 1 3

# sar -u      or   # sar

# sar -u – f /var/log/sa/sa06

Share itShare on FacebookEmail this to someoneTweet about this on TwitterShare on Google+Share on LinkedInPrint this page

Leave a Reply

Your email address will not be published. Required fields are marked *

Current month ye@r day *