topic Re: Cpu and memory usage in Getting Data In

Cpu and memory usage

carlyleadmin — Tue, 29 Sep 2020 18:00:48 GMT

This probably has been asked many many times but there is still not a good answer out there.i simply want to use forwarder to collect data from my servers and send it to splunk and get a basic cpu memory usage.i am using wmi and my first challenge is what my config file would be.i have something like this which i found it on the net but not sure what is what exactly

[WMI:process]
disabled = 0
interval = 30
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process
index = pa

my question is,what should use in wql to pull the data and once i have he config file what would my search would be?

Re: Cpu and memory usage

ansif — Wed, 07 Feb 2018 04:37:44 GMT

inputs.conf

[WMI:LocalMainMemory]
interval = <Interval_Time>
wql = select CommittedBytes, AvailableBytes, PercentCommittedBytesInUse, Caption from \
 Win32_PerfFormattedData_PerfOS_Memory
disabled = 0
index = <IndexName>

[WMI:process]
index = <IndexName>
disabled = 0
interval = <Interval_Time>
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process

Search Query:

index=<INdexName> sourcetype="WMI:process" Name!=_Total Name!=Idle

You can try this:

index=<INdexName> sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart limit=50 useother=f avg(cputime) by Name

Re: Cpu and memory usage

carlyleadmin — Tue, 29 Sep 2020 18:02:30 GMT

Ansif,

i apologize for the late response.i implemented your query and it seems to be working.i just changed the last bit to get a timechart by host.my question is these numbers don't make sense to me.i woudl like to get something in percentage if possible can you help with the?

sourcetype="WMI:CPU" index=main sourcetype="WMI:CPU" Name!=_Total Name!=Idle Name!=_Total Name!=Idle
| streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart span=10m avg(cputime) by host

Re: Cpu and memory usage

carlyleadmin — Fri, 09 Feb 2018 18:59:54 GMT

Re: Cpu and memory usage

ansif — Mon, 12 Feb 2018 04:51:42 GMT

Can you share your current values and expected values?

Re: Cpu and memory usage

carlyleadmin — Mon, 12 Feb 2018 12:50:23 GMT

Ansif,

here are the results,as i said it before i want to get the avg cpu by host.i will add the images.these numbers are huge.i want to get something like cpu is at 20% or 5%.

Re: Cpu and memory usage

carlyleadmin — Mon, 12 Feb 2018 12:51:02 GMT

Re: Cpu and memory usage

carlyleadmin — Mon, 12 Feb 2018 12:54:27 GMT

Ansif,
instead of getting by all the processors i need just one number for everything so that's why i did by host,but not sure if that number is right or what it means

Re: Cpu and memory usage

ansif — Mon, 12 Feb 2018 14:43:27 GMT

inputs.conf

## Processes
[WMI:LocalProcesses]
interval = 30
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
index = windows
disabled =0

Search:

sourcetype=WMI:LocalProcesses

Re: Cpu and memory usage

carlyleadmin — Tue, 29 Sep 2020 18:00:11 GMT

Ansif,

First of all ,thank you for taking the time to trying to help me out and i apologize in advance if i am not making this easy for you.
i added the stanza to my wmi and getting the data but don't think it is giving me the correct data or i might be using the wrong query.is the "percentprocessortime" field what i am going to use?if that is,then why do i need "privatebytes"?

so this is what i am searching

index=5sv sourcetype="WMI:LocalProcesses" host=ap5sv Name!=_Total Name!=Idle Name!=_Total Name!=Idle|search PercentProcessorTime > 0|timechart span=4h eval(round(avg(PercentProcessorTime),0)) by host

i actually tried running this in realtime and going into the host machine at the same time and running some processes.numbers are close,but not sure if they are accurate.

can you tell me if this is correct?Thanks for all the help

Re: Cpu and memory usage

Nvijay92 — Wed, 30 Sep 2020 03:26:49 GMT

Hello Ansif,

I have an idea which would be helpful for you.

I know its too late answer.

Please find the below query which would list the processes list consuming more than certain amount of memory,

index="wmi_perfmon" source="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| stats avg(cputime) as CPU_Time by Name
| where CPU_Time > 10

Thank you