Collectl Frequently Asked Questions
General Questions
Running collectl
Gottchas - what you don't know can hurt you
Operational Problems
General Questions
What is the difference between collectl and sar?
At the highest level, both collectl and sar provide lightweight collection of 
device performance information.  However, when used in a diagnostic mode sar
falls short on a number of points, though admittedly some could be addressed
by wrapping it with scripts that reformat the data:
  - sar plays back data by device/subsystem, sorted by time
- sar does not deal with sub-second time
- sar output cannot be directly fed into a plotting tool
- sar does not provide nfs, lustre or interconnect statistics
  
- sar does not provide for the collection of slab data
  
- sar's process monitoring is limited in that if cannot save
    process data in a file, cannot monitor threads, cannot select processes
    to monitor other than ALL or by pid (so cannot selectively discover new 
    processes) and in interactive mode is limited to 256 processes
Isn't a default monitoring frequency of 1 second going to kill my system?
Running collectl interactively at a 1 second interval has been shown to provide
minimal load.  However, for running collectl for long periods of time it is 
recommended to use a default monitoring period of 10 second and in fact is the 
default when collectl is run as a daemon and started using the 'service start
collectl command'.
A lot of effort has gone into making collectl very efficient in spite of the fact
that it's written in an interpretive language like perl, which by the way is known
for its efficiency.  collectl has been measured to use less than 0.01% of the cpu
on most systems at an interval of 10 seconds.  
To measure collectl's load on your own system you can use the command
"time collectl -i0 -c8640 -s??? -f." to see the load of collecting a day's worth 
of data for the specific subsystems included with the -s switch.
What is the best monitoring frequency?
There really isn't a 'best' per se.  In general collecting counter data every 10 seconds
and process/slab data every minute has been observed to produce a maximum amount of data
with a minimal load.  When this granularity isn't sufficient there have been uses for 
collecting data as 0.1 second intervals!  There have even been times when wanting to 
verify a short lived process really does start that doing process monitoring by name at 
an interval of 0.01 seconds has been found to be useful.
Why so many switches?
In general, most people will not need most switches and that's the main reason
for 'basic' vs 'extended' help.  However, it's also possible that there may be
an extended switch that provides some specific piece of functionality not there
with the basic ones and it is recommended that once you feel more comfortable
with the basic operations that you spend a little time looking at them too.
Why doesn't --top show as much data as the top command?
The simple answer is because this is collectl, not top.
Actually I thought of that and then decided with all the different switches
and options, the easiest thing to do is just run
a second instance of collectl in another window, 
showing whatever else you want to see in whatever
format you like.  You can even pick different monitoring intervals.
What does collectl stand for?
Collectl is based on  the very popular collect tool written by Rob Urban which
was distributed as with DEC's Tru64 Unix Operating System and therefore stands for
collect for linux.
How do you pronounce collectl?
It rhymes with pterodactyl.
Why is the default socket port 2655??
Those are the first 4 digits of collectl on a telephone numeric key pad.
Running collectl
How do I get started?
The easiest way to get started is to just type 'collectl'.  It will report
summary statistics on cpu, disk and network once a second.  
If you want to change the subsystems being reported on use -s and to change
the interval use -i.  More verbose information can be displayed with --verbose.  See
the man pages for more detail.
How do I make a plot?
Collectl supports saving data in plot format - space separated fields - through
the use of the -P switch.  The resultant output can then be easily plotted 
using gnuplot, excel or any other packages that understand this format.  You
can redirect collectl's output to a file OR it's much easier to just use the
-f switch to specify a location to write the data.
How do I drill down to get a closer look at what's going on?
The first order of business is to familiarize yourself with the types of data 
collectl is capable of collecting.  This is best done by looking at the data
produced by all the different settings for -s, both lower and upper case as 
there is some detail data that is not visible at the summary level.  
Take a look at -sd and -sD.  If you still
don't see something it might actually be written in -P format.  See -sT for an
example.
Next, run collectl and instruct it to log everything (or at least as much as you 
think you'll need) to a file.  When you believe you've collected enough data - and
this could span multiple days - identify times of interest or just plot everything
(see the -P switch).
Visually inspecting the plotted data can often show times of unusually heavy resource
loads.  Often times there is a strong time delineation between good and bad.
It you want to see the actual numbers in the data as opposed to plots,
play back the data using the --from switch to 
select a begin time, usually a few samples prior to the time when things started to
go bad.  To reduce the amount of output you can also use --thru to set the end time for
the collection.  You can also start selecting specific subsystems to look at as well
as individual devices.  For example, if you've discovered that at 11:03 there was 
an unusal network load, try 'collectl -p filename --from 11:02 --thru 11:05 -sN' to see
the activity at each NIC.
And don't forget process and/or slab activity if either has been collected.  You can
also play back this data at specific time intervals too.
I want to look at detail data but forgot to specify it when I collected the 
data.  Now what?
Good news!  With the exception of CPU data, collectl always collects
detail data whether you ask for it or not - that's how it generates the 
summaries.  When you extract data into plot format, by default it extracts the
data based on the switches you used when you collected it.  So, if you 
specified -sd you'll only see summary data when you extract it.  BUT if you
include -s+D during the generation of plotting data you WILL generate disk
details as well.
How do I configure collectl to run all the time as a service?
Use the chkconfig to change collectl's setting to 'on'.  On boot, collectl will
be automatically started.  To start collectl immediately, type 
'service collectl start'.
How do I change the monitoring parameters for the 'service'?
Edit /etc/collectl.conf and add any switches you like to the 'DaemonCommands'
line.  To verify these are indeed compatible (some switches aren't), cut/paste
that line into a collectl run command to make sure they work before trying to
start the service.
What are the differences between --rawtoo, --lexpr and --sexpr
Looking at --lexpr and --sexpr first, these will cause the contents of most
counters to be written as a list or s-expression to either a file or socket
based on whether -f or -A is specified.  If both are specified the data will
be sent over the socket and written locally as a raw file.
Adding -P will cause the local file to be written in plot format while adding
--rawtoo will cause both plot and raw files to be written locally.
For more information also see Logging.
How can I pass collectl data to other applications?
You actually have several choices, all of which are based on
--export in which you specify a routine that will export collectl's
output in some other format that your application 
may prefer to see it in.  There are currently 2 such routines:
- lexpr.ph formats data as a list
- sexpr.ph formats data as an s-expression
If you don't like either, you're free to write your own.
The next thing you need to decide is whether you simply want to write a
data snapshot to a local file which some other program/script can retrieve
OR send the data over a socket to your application.  Clearly using the socket
is more efficient, but the choice is all yours.
An example parser script called readS had been provided as a convenient
way to parse a file that is an s-expression, but just keep in mind that it is 
written in perl and every invocation involved starting up the perl interpreter
which may be a little heavier-weight than you wish to use.
If you do choose to use it, the arguments to readS take the following form:
dir category variable [instance [divisor]]
  - dir - directory in which the s-expression S exists, often
      /var/log/collectl
  
- category - category of data element, such asc cputotals or diskinfo
  
- variable - the name of a summary item such as nice for cpu data 
      or the name of the detail category such as diskinfo.
  
- instance - for detail data this is the instance name
  
- divisor - divide the results by this number, noting for summary data 
      instance needs to be a null string
Detailed customization instructions for use of data returned by readS 
is beyond the scope of this FAQ.Gottchas
This section is for those things people might otherwise miss in the FAQ and Shouldn't, because
they can cause misunderstanding of what is being reported.
Round-off vs normalization
Since most of the numbers collectl reports are large, certainly greater than the number of
seconds in an interval,  they are not affected and so this is rarely an issue.  However there 
are values that can be quite low such as the number of processes created/second or network errors.
This can also be the case for many of the nfs metadata operations counters, some of which report
values as low as 1 over many minutes.
The issue is if you're looking at data at some interval other than 1 second, the result of dividing
these numbers by the interval size can result in values less than 0.5 and since collectl rounds off,
those values would be reported as 0 and you could miss a critical data point.  If you
tell collectl not to normalize the data, in other words NOT to divide by the interval, you'll
always see the actual numbers.  However, since most people prefer values/sec, it's easy to
forget.  Try not to...
Operational Problems
Why won't collectl run as a service?
As configured, collectl will write its date/time named log files to 
/var/log/collectl, rolling them every day just after midnight and retaining 
one week's worth.  In addition it also maintains a 'message log' file named for
the host, year and month, eg hostname-200508.log - the creation of the message log is
driven off the -m switch in DaemonCommands.  Check this log for any messages
that should explain what is going on.
Why is my 'raw' file so big?
By default, collectl will collect a lot of data - as much as 10 or more MB/day!
If the perl-Compress library is installed, these logs will automatically be 
compressed and are typically less than 2MB/day.
The output file size is also affected by the number of devices being monitored.
In general, even on large systems the number network interfaces is small and
shouldn't matter, but if the number of disks gets very high, say in the dozens
or more, this can begin to have an effect on the file size.  The other big
variable is the number of processes when collecting process data.  As this 
number grows to the many hundreds (or more), you will see the size of the data
file grow.
Finally the other parameter that effects size is the monitoring interval.  The
aforementioned sizes are based on the defaults which are process/slab 
monitoring once every 60 seconds and device monitoring once every 10 seconds.
Did you override these and make them too small?
Playing back multiple files to terminal doesn't show file names
By design, collectl is expected to be used in multiple ways and a lot of 
flexibility in the output format has been provided.  The most common 
way of using playback mode is to play back a single file and therefore the name
of the file is not displayed.  The -m switch will provide the file names as
they are processed.
Why don't the averages/totals produced in brief mode look correct?
There may be two reasons for this, the most obvious being that by default the 
intermediate numbers are normalized into a /sec rate and the averages/totals
are based on the raw numbers.  If the monitoring interval is 1 sec or you use
-on to suppress normalization, the results will be very close.
The other point to consider is that numbers are often stored at a higher 
resolution than displayed and so there is less round-off error with the averages
and totals.
What does New slab created after logging started mean?
When collectl first starts, it builds a list of all the existing slabs.
As the message states, collectl has discovered a new slab and adds it to
its list.  This is relatively rare but can also indicate collection was
started too soon, possibly before system processes or applications
have allocated system data structures.  It is really just an informational
message and can safely be ignored.
Why does collectl say waiting for 60 second sample... but doesn't?
This is very rare as it will only happen when collecting a small number of process
or slab data samples, but it is also worth understanding what is happening
because it gets into the internal mechanics of data collection.  In addition to the
normal counter collectl uses to collect most data, it also maintains a second
one for coarser samples such as process and slab data.  When reporting how long
collectl is going to wait for a sample, it uses a number based on the type of
data being collected.  In almost all cases this is the value of the fine-grained
counter, but if only collecting process or slab data, it reports the second
counter whose default is 60 seconds.
Collection of counters, such as disk traffic or cpu load, always requires 2
samples since it's their different that represent the actual value.  Other
data such as memory in use or process data only require a single sample 
but in order to synchronize all the values being reported, collectl
always uses its first sampling interval to collectl a base sample and doesn't
actually report anything until the second sample is taken which is why it
reports the waiting... message even if it isn't being asked to report
any counters.
Finally, the -c switch which specifies the number of samples to collect
applies to the finer-grained counter.  This means if you try to collect a number
of samples that will cause the -c switch limit to be reached because any data
is actually collected, you will see collectl exit without reporting anything!
The best example of this would be the command collectl -sZ -c1.
Since the default interactive sample counters are 1 and 60 seconds respectively
and collectl has to actually take 2 samples, collectl will only run long
enough for one tick of the fine-grained counter or 1 second and immediately
exit with no output.  Therefore to 
collect 1 process sample you will actually need to use -c60 but will also have
to wait 60 seconds to see anything.  
Alternatively you could set the fine-grained sample counter to the same as
the process sample counter
and so the command collectl -i60:60 -sZ -c1 would also report 1 sample
after waiting for 60 seconds.  If you want to collect a sample after just 1
second, you should use collectl -i:1 -sZ -c1.
Why am I not seeing exceptions only with -ox?
Exception processing requires --verbose.  Did you forget to include it?
I'm seeing a bogus data point!
This message means collectl has read a corrupted network statistics record
and is ignoring it.  It also turns out this has been attributed to some
bnx2 chips and a workaround has been generated for newer drivers.  If you
want a little more information your can read about it
here.
The way collectl determines a record is bogus is to look at the transmit and receive 
rates for each interface and compare them to the speed of that interface
from /sys/devices OR if no entry found uses the value of DefNetSpeed
which can be overridden in collectl.conf).
It either exceeds twice the interface rate, the record is considered bogus
and ignored.  This will cause collectl to report the previous rate
for this interval.  While not foolproof, it is hoped this will reduce the
frequency of this type of data.
What does the error -sj or -sJ with -P also requires CPU details so add C or remove J. mean?
Interrupt reporting has a unique property in that summary data provides CPU specific data
while detail data provides data about individual interrupts and you will get this error
if you request interrupt plot data but not CPU detail data.  The most common place this
can happen is if you run collectl V2.5.0 as a daemon because it collectl interrupt data
but not CPU detail data.
In order to play back plot data from a file that did not specify CPU details be 
collected, you can either tell collectl not to include interrupts by the command
collectl -s-j... or tell it to also include CPU details with the command
collectl -s+C....
In order to make this less confusing with future releases, and until I think of simpler
way to do this, the collectl daemon will be set up to include CPU details, noting this
has no impact on data collection but only on the playback.  You can always request CPU
detail data not be generated on playback but will now also have to request interrupts
not be included as well by collectl -s-jC....
Why can't I see Process I/O statistics?
You need to be running version 2.6.22 of the kernel or greater and it must have
process I/O statistics enabled.  The easiest way to check is to see if /proc/self/io
exists.  If not, you don't have them enabled and will need to rebuild your kernel and the
instructions for doing so are beyond the scope of this FAQ.  If you do rebuild, make sure
you have the following symbols enabled: CONFIG_TASKSTATS, CONFIG_TASK_XACCT and
CONFIG_TASK_IO_ACCOUNTING.
I'm getting an error that formatit.ph can't be found
This component of collectl must be in the same directory as collectl itself.  On startup
collectl looks at the command used to start it and from there determines its location by
following as many links as may be associated with that command.  It then extracts its 
directory name from the last link (if any) in the chain.  If one has set up a set of links
such that the last one uses a relative path, when collectl prepends that path to formatit.ph
it's likely not to find it and hence this message.  To fix the problem
simply specify the complete path in the final link.
When I use an interval >4 seconds I'm getting non-uniform sample times
Awhile back I found a problem on a SuSE 10 system that was running with a new version
of glibc that changed the granularity of timers from micro-seconds to nanoseconds and
therefore went from 32 to 64 bits.  Guess what, 4.3 seconds is > 32 bits!  Once I
reported this to the author of HiRes he immediately (within hours) release version
1.91 which addressed the problem.  A newer version of HiRes should be the remedy.
I'm getting settimer messages on the console and in dmesg
This problem is actually another form of the previous one and is related to version 2.5 of
glibc.  See more details on what this means and how to correct it here.
Why is a set of process data missing during playback?
This actually applies to slab data too.  Both types of data contain counters and in order to
display them as rates, collectl needs to read a sample as a baselevel - that's why you see the
waiting for n second sample message when collectl first starts.   This applies to
playback too and that's why when you playback data from a file you never see the first
sample.  Since process/slab data are usually collected at a different frequency, collectl
has to read more intervals to get to the proper baselevel.  As an example, consider data collected
at 00:01AM.  When you play it back, collectl is able to include processes/slabs in its baselevel
since this data is typically collected on an intergral minute boundary.  It will therefore start playing back non-process
data at 00:01:10 and process data at 00:02:00.  In fact, if you play back data from 00:01:10 
collectl reads data from the previous interval and will still report process data for 00:02:00.
However if you play back data from 00:01:20 it will set its baselevel to 00:01:10 which does not
contain process data and so will not report process data until 00:03:00.
Therefore, if you're not seeing process data for the time interval you've chosen use an earlier
value for --from.
I played back all summary data with -P but got a cpu detail file.  Why?
This will happen when you try to convert interrupt data to plot format file.  In fact if you include
-m you will see a message that this is automatically being done for you.  The basic problem is that by
definition summary data is written in a fixed format to help ease the automated processing of the tab
file.  However interrupt data by definition is variable since there is a counter for each CPU.  By
forcing a CPU detail file, there is now a place to put the interrupt data.  To get rid of the message
simply include cpu detail when in playback mode.
What does this message mean: -sj or -sJ with -P also requires CPU details so adding -sC
This message is displayed whenever you try to convert interrupt data to a file in plot format and have not included
CPU detail data as explained in the previous section.  This message is only displayed when -m is included.
Why are some process usernames being reported as numbers?
Collectl uses the usernames from /etc/passwd to associate with a process's UID.  If it can't find that UID in
the file there is no username to associated with it and so collectl
will report the UID instead.  This can happen when using NIS in which case username information is stored
remotely OR if playing back a file on a different host than where the raw data was collected.  To get around this
problem, copy (or create) the passwd file with the correct relationships to the local system and point 
collectl to it with --passwd OR change the Passwd entry in collectl.conf to point to that file if
you get tired of using --passwd.
Why don't I get a prc file with -P and --rawtoo?
The data in the raw file is essentially identical to that in the prc file so the theory is why repeat it
when you can easily create it from the raw file.  Furthermore the raw file is already compressed and so
is a lot smaller.
What happened to -sy in brief mode?
The brief form was always a hack because slab data is typically collected at a different frequency
than everything else.  With the 2.6 kernel, slab usage was included in the brief memory display 
anyway and therefore less important via the -sy switch.  With the move to supporting slab data in
a separate file with -G/--group, that become an even better reason to drop it so I did.
Why do I get an empty file during play back with -sY/-sZ and -P -f?
Trying to get this right was just considered too much effort for too rare a case.
Why don't I get slb/prc files with -P, -sY/Z and --rawtoo but witout -rawtoo I do?
Process data in raw format is almost identical to process data in plot format and it felt like a waste of
space to replicate the data.  Since slab data tends to be treated the same, at least in rawp files, it just
came along for the ride.  You can always force the generation of the slb/prc files by playing back the raw
file with -sY/Z for a second pass.
perl >= 0:5.008000 is needed by collectl...
I'm getting an error from RPM: perl >= 0:5.008000 is needed by collectl...
This seems to be a problem with some older versions of RPM.  Include --nodeps to
override the dependency check and collectl will install and run just fine.
What does this mean: New network device found: xxx?
When collectl was first developed, the assumption had been that to add new devices, especially a
network device, one would have to power off the machine and reboot, making the possibility of a
new device showing up after boot unlikely.  Therefore, when collectl first starts up it identifies 
all the networks on the system and if logging to a file writes this information into the header
so that during playback it can all the network names without having to look into the file.  If a 
new network device does becomes visible after collectl started or during playback, you'll see this message.
However, this message has recently been seen when running with InfiniBand, so a devices obviously
showed up after collectl started.  This message also means that the new device has been added to the 
end of the list of known networks.  If it in fact should have been inserted in the middle of that 
list the results are unpredictable and will probably be wrong.  Be sure to let me know if this occurs.
Clearly as newer versions of linux/hardware emerge, the types of hardware changes that can occur
without shutting down the systems will no doubt increase and so perhaps more of these types of 
situations will occur.
What does this mean: NumNets in header is 'x' but only 'y' listed...?
This message only occurs during playback.  Versions of collectl older than 3.5.1 were 
updating the internal number of network devices when a new one was encountered in real-time or during 
playback, but they were forgetting to update the names used the header as well.  This meant when a 
new logfile was created after midnight (or whenever it was rotated), the new value for the number of
networks was changed in the header but not their names.  If you see this message it's simply pointing 
out that fact and you WILL later see  New network device found: xxx messages as those new 
networks are found in the raw file during playback.  This should not occur with raw files created after
V3.5.1.
Why is -sC showing CPUs with no load and no idle?
Somewhere along the kernel started incorrectly updating the CPU usage stats in /proc/stat and if that's
the case with your kernel, you'll see this behavior.  There is really nothing collectl can do about it
as it relies on the kernel for accurate stats.  Furthermore, before you run out and try a different tool
remember that all tools use /proc/stat to report CPU usage and so that won't help.
When did playing back a file start taking so long?
This problem was first discovered when a user upgraded to RHEL6.2, but it turns out it has nothing to do
with that distro but rather the underlying compression library that collectl relies on, namely Compress::Zlib.
It turns out when that compression library went from 1.42 (last rev of the 1.0 architecure) this broke so
any versions in the 2.0 generation will show this problem.  You can see which version of zlib you're using
by running 'collectl -v'.  If the playback times are too long for you, just do what I've been doing for 
years now and run collectl with -P --rawtoo and you're get both a raw file as well as a plot file with 
not a lot of extra overhead.
What does the message -D requires -f OR -A server mean?
First of all, this should only be seen by someone who has modified /etc/collectl.conf because it already
specifies -f.  The point of the message is that when you run collectl as a deamon, it needs to know what 
to do with its output since there is no terminal available.  That destination must be a file OR collectl
must be run as a server, sending its output out over a socket.