Collectl Frequently Asked Questions

General Questions

Running collectl

Operational Problems

General Questions

What is the difference between collectl and sar?

At the highest level, both collectl and sar provide lightweight collection of device performance information. However, when used in a diagnostic mode sar falls short on a number of points, though admittedly some could be addressed by wrapping it with scripts that reformat the data:

Isn't a default monitoring frequency of 1 second going to kill my system?

Running collectl interactively at a 1 second interval has been shown to provide mininal load. However, for running collectl for long periods of time it is recommended to use a default monitoring period of 10 second and in fact is the default when collectl is run as a daemon and started using the 'service start collectl command'.
A lot of effort has gone into making collectl very efficient in spite of the fact that it's written in an interpretive language like perl, which by the way is known for its efficiency. collectl has been measured to use less than 0.01% of the cpu on most systems at an interval of 10 seconds. To measure collectl's load on your own system you can use the command "time collectl -i0 -c8640 -s??? -f." to see the load of collecting a day's worth of data for the specific subsystems included with the -s switch.

What is the best monitoring frequency?

There really isn't a 'best' per se. In general collecting counter data every 10 seconds and process/slab data every minute has been observed to produce a maximum amount of data with a minimal load. When this granularity isn't sufficient there have been uses for collecting data as 0.1 second intervals! There have even been times when wanting to verify a short lived process really does start that doing process monitoring by name at an interval of 0.01 seconds has been found to be useful.

Why so many switches?

In general, most people will not need most switches and that's the main reason for 'basic' vs 'extended' help. However, it's also possible that there may be an extended switch that provides some specific piece of functionality not there with the basic ones and it is recommended that once you feel more comfortable with the basic operations that you spend a little time looking at them too.

Why doesn't --top show as much data as the top command?

The simple answer is because this is collectl, not top. Actually I thought of that and then decided with all the different switches and options, the easiest thing to do is just run a second instance of collectl in another window, showing whatever else you want to see in whatever format you like. You can even pick different monitoring intervals.

What does collectl stand for?

Collectl is based on the very popular collect tool written by Rob Urban which was distributed as with DEC's Tru64 Unix Operating System and therefore stands for collect for linux.

How do you pronounce collectl?

It rhymes with pterodactyl.

Why is the default socket port 2655??

Those are the first 4 digits of collectl on a telephone numeric key pad.

Running collectl

How do I get started?

The easiest way to get started is to just type 'collectl'. It will report summary statistics on cpu, disk and network once a second. If you want to change the subsystems being reported on use -s and to change the interval use -i. More verbose information can be displayed with --verbose. See the man pages for more detail.

How do I make a plot?

Collectl supports saving data in plot format - space separated fields - through the use of the -P switch. The resultant output can then be easily plotted using gnuplot, excel or any other packages that understand this format. You can redirect collectl's output to a file OR it's much easier to just use the -f switch to speficy a location to write the data.

How do I drill down to get a closer look at what's going on?

The first order of business is to familiarize yourself with the types of data collectl is capable of collecting. This is best done by looking at the data produced by all the different settings for -s, both lower and upper case as there is some detail data that is not visible at the summary level. Take a look at -sd and -sD. If you still don't see something it might actually be written in -P format. See -sT for an example.
Next, run collectl and instruct it to log everything (or at least as much as you think you'll need) to a file. When you believe you've collected enough data - and this could span multiple days - identify times of interest or just plot everything (see the -P switch). Visually inspecting the plotted data can often show times of unusually heavy resource loads. Often times there is a strong time delineation between good and bad.
It you want to see the actual numbers in the data as opposed to plots, play back the data using the -b switch to select a begin time, usually a few samples prior to the time when things started to go bad. To reduce the amount of output you can also use -e to set the end time for the collection. You can also start selecting specific subsystems to look at as well as individual devices. For example, if you've discovered that at 11:03 there was an unusal network load, try 'collectl -p filename -b 11:02 -e 11:05 -sN' to see the activity at each NIC.
And don't forget process and/or slab activity if either has been collected. You can also play back this data at specific time intervals too.

I want to look at detail data but forgot to specify it when I collected the data. Now what?

Good news! With the exception of CPU data, collectl always collects detail data whether you ask for it or not - that's how it generates the summaries. When you extract data into plot format, by default it extracts the data based on the switches you used when you collected it. So, if you specified -sd you'll only see summary data when you extract it. BUT if you include -s+D during the generation of plotting data you WILL generate disk details as well.

How do I configure collectl to run all the time as a service?

Use the chkconfig to change collectl's setting to 'on'. On boot, collectl will be automatically started. To start collectl immediately, type 'service collectl start'.

How do I change the monitoring parameters for the 'service'?

Edit /etc/collectl.conf and add any switches you like to the 'DaemonCommands' line. To verify these are indeed compatible (some switches aren't), cut/paste that line into a collectl run command to make sure they work before trying to start the service.

What are the differences between --rawtoo, --lexpr and --sexpr

Looking at --lexpr and --sexpr first, these will cause the contents of most counters to be written as a list or s-expression to either a file or socket based on whether -f or -A is specified. If both are specified the data will be sent over the socket and written locally as a raw file. Adding -P will cause the local file to be written in plot format while adding --rawtoo will cause both plot and raw files to be written locally.

For more information also see Logging.

How can I pass collectl data to other applications?

You actually have several choices, all of which are based on --export in which you specify a routine that will export collectl's output in some other format that your application may prefer to see it in. There are currently 2 such routines: If you don't like either, you're free to write your own.

The next thing you need to decide is whether you simply want to write a data snapshot to a local file which some other program/script can retrieve OR send the data over a socket to your application. Clearly using the socket is more efficient, but the choice is all yours.

An example parser script called readS had been provided as a convenient way to parse a file that is an s-expression, but just keep in mind that it is written in perl and every invocation involved starting up the perl interpretter which may be a little heavier-weight than you wish to use.

If you do choose to use it, the arguments to readS take the following form:

dir category variable [instance [divisor]]

Detailed customization instructions for use of data returned by readS is beyond the scope of this FAQ.

Operational Problems

Why won't collectl run as a service?

As configured, collectl will write its date/time named log files to /var/log/collectl, rolling them every day just after midnight and retaining one week's worth. In addition it also maintains a 'message log' file named for the host, year and month, eg hostname-200508.log - the creation of the message log is driven off the -m switch in DaemonCommands. Check this log for any messages that should explain what is going on.

Why is my 'raw' file so big?

By default, collectl will collect a lot of data - as much as 10 or more MB/day! If the perl-Compress library is installed, these logs will automatically be compressed and are typically less than 2MB/day.
The output file size is also effected by the number of devices being monitored. In geneneral, even on large systems the number network interfaces is small and shouldn't matter, but if the number of disks gets very high, say in the dozens or more, this can begin to have an effect on the file size. The other big variable is the number of processes when collecting process data. As this number grows to the many hundreds (or more), you will see the size of the data file grow.
Finally the other parameter that effects size is the monitoring interval. The aforementioned sizes are based on the defaults which are process/slab monitoring once every 60 seconds and device monitoring once every 10 seconds. Did you override these and make them too small?

Playing back multiple files to terminal doesn't show file names

By design, collectl is expected to be used in multiple ways and a lot of flexibility in the output format has been provided. The most common way of using playback mode is to play back a single file and therefore the name of the file is not displayed. The -m switch will provide the file names as they are processed.

Why don't the averages/totals produced in brief mode look correct?

There may be two reasons for this, the most obvious being that by default the intermediate numbers are normalized into a /sec rate and the averages/totals are based on the raw numbers. If the monitoring interval is 1 sec or you use -on to supress normalization, the results will be very close.
The other point to consider is that numbers are often stored at a higher resolution than displayed and so there is less round-off error with the averages and totals.

I'm getting errors "Ignoring '!' modifier for short option"

As of Version 2, collectl expects at least perl version 5.8 to be installed. If you do not have a newer version of perl and cannot install a newer one, you can get around this problem by installing a newer version of the module perl-Appconfig. Unfortunately, newer versions of perl-Appconfig only operate with perl 5.8 or greater so you will have to install it on some other system running perl 5.8 first. Then you need to manually replace the three modules Getopt.pm, Long.pm and Std.pm on your perl 5.6 system, which can be found under /usr/lib/perl5/. It is also recommended you rename rather than overwrite the originals.

What does New slab created after logging started mean?

When collectl first starts, it builds a list of all the existing slabs. As the message states, collectl has discovered a new slab and adds it to its list. This is relatively rare but can also indicate collection was started too soon, possibly before system processes or applications have allocated system data structures. It is really just an informational message and can safely be ignored.

Why does collectl say waiting for 60 second sample... but doesn't?

This is very rare as it will only happen when collecting a small number of process or slab data samples, but it is also worth understanding what is happening because it gets into the internal mechanics of data collection. In addition to the normal counter collectl uses to collect most data, it also maintains a second one for coarser samples such as process and slab data. When reporting how long collectl is going to wait for a sample, it uses a number based on the type of data being collected. In almost all cases this is the value of the fine-grained counter, but if only collecting process or slab data, it reports the second counter whose default is 60 seconds.

Collection of counters, such as disk traffic or cpu load, always requires 2 samples since it's their different that represent the actual value. Other data such as memory in use or process data only require a single sample but in order to synchronize all the values being reported, collectl always uses its first sampling interval to collectl a base sample and doesn't actually report anything until the second sample is taken which is why it reports the waiting... message even if it isn't being asked to report any counters.

Finally, the -c switch which specifies the number of samples to collect applies to the finer-grained counter. This means if you try to collect a number of samples that will cause the -c switch limit to be reached because any data is actually collected, you will see collectl exit without reporting anything! The best example of this would be the command collectl -sZ -c1. Since the default interactive sample counters are 1 and 60 seconds respectively and collectl has to actually take 2 samples, collectl will only run long enough for one tick of the fine-grained counter or 1 second and immediately exit with no output. Therefore to collect 1 process sample you will actually need to use -c60 but will also have to wait 60 seconds to see anything. Alternatively you could set the fine-grained sample counter to the same as the process sample counter and so the command collectl -i60:60 -sZ -c1 would also report 1 sample after waiting for 60 seconds. If you want to collect a sample after just 1 second, you should use collectl -i:1 -sZ -c1.

Why am I not seeing exceptions only with -ox?

Exception processing requires --verbose. Did you forget to include it?

I'm seeing a bogus data point!

This message means collectl has read a corrupted network statistics record and is ignoring it. It also turns out this has been attributed to some bnx2 chips and a workaround has been generated for newer drivers. If you want a little more information your can read about it here.

The way collectl determines a record is bogus is to look at the transmit and receive rates for each interface and compare them to the speed of that interface (from ethtool and if running as root OR ELSE it uses the value of DefNetSpeed which can be overridden in collectl.conf). It either exceeds twice the inteface rate, the record is considered bogus and ignored. This will cause collectl to report the previous rate for this interval. While not foolproof, it is hoped this will reduce the frequency of this type of data.

What does the error -sj or -sJ with -P also requires CPU details so add C or remove J. mean?

Interrupt reporting has a unique property in that summary data provides CPU specific data while detail data provides data about individual interrupts and you will get this error if you request interrupt plot data but not CPU detail data. The most common place this can happen is if you run collectl V2.5.0 as a daemon because it collectl interrupt data but not CPU detail data.

In order to play back plot data from a file that did not specify CPU details be collected, you can either tell collectl not to include interrupts by the command collectl -s-j... or tell it to also include CPU details with the command collectl -s+C....

In order to make this less confusing with future releases, and until I think of simpler way to do this, the collectl daemon will be set up to include CPU details, noting this has no impact on data collection but only on the playback. You can always request CPU detail data not be generated on playback but will now also have to request interrupts not be included as well by collectl -s-jC....

Why can't I see Process I/O statistics?

You need to be running version 2.6.22 of the kernel or greater and it must have process I/O statistics enabled. The easiest way to check is to see if /proc/self/io exists. If not, you don't have them enabled and will need to rebuild your kernel and the instructions for doing so are beyong the scope of this FAQ. If you do rebuild, make sure you have the following symbols enabled: CONFIG_TASKSTATS, CONFIG_TASK_XACCT and CONFIG_TASK_IO_ACCOUNTING.

I'm getting an error that formatit.ph can't be found

This component of collectl must be in the same directory as collectl itself. On startup collectl looks at the command used to start it and from there determines its location by following as many links as may be associated with that command. It then extracts its directory name from the last link (if any) in the chain. If one has set up a set of links such that the last one uses a relative path, when collectl prepends that path to formatit.ph it's likely not to find it and hence this message. To fix the problem simply specify the complete path in the final link.

When I use an interval >4 seconds I'm getting non-uniform sample times

Awhile back I found a problem on a SuSE 10 system that was running with a new version of glibc that changed the granularity of timers from micro-seconds to nanoseconds and therefore went from 32 to 64 bits. Guess what, 4.3 seconds is > 32 bits! Once I reported this to the author of HiRes he immediately (whithin hours) release version 1.91 which addressed the problem. A newer version of HiRes should be the remedy.

I'm getting settimer messages on the console and in dmesg

This problem is actually another form of the previous one and is related to version 2.5 of glibc. See more details on what this means and how to correct it here.