<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Splunk Perfmon misreporting W3WP processes consuming 100% cpu in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-Perfmon-misreporting-W3WP-processes-consuming-100-cpu/m-p/321410#M93479</link>
    <description>&lt;P&gt;This is the inputs collecting data.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[perfmon://Process]
counters = % Processor Time; ID Process; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 420
object = Process
useEnglishOnly=true
index = perfmon
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The % Processor Time has worked very reliably in windows 2008 but since upgrading to 2016 it is often reporting various W3WP running at Value 100. (This alert averages over the last 2 hours and alerts only if the value is over 90) &lt;/P&gt;

&lt;P&gt;Logging onto the server, monitoring with perfmon or typeperf show that all w3wp processes are running under 5% continuously as we are not as of yet utilizing these servers.&lt;/P&gt;

&lt;P&gt;This looks to be a problem specific to splunk. Is there anything in that stanza that looks incorrect? Anyone have any insight as to what might be going on here?  I would like to reliably track CPU usage of processes.&lt;/P&gt;

&lt;P&gt;An example event, this process is running at 0% but splunk is reporting 100?&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;01/19/2018 17:21:51.191 -0500
collection=Process
object=Process
counter="% Processor Time"
instance=w3wp#3
Value=100

host =  W2K16Server     
    index = perfmon     
    source =    Perfmon:Process     
    sourcetype =    Perfmon:Process     
    splunk_server = SplunkIndexerServer21
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Sat, 20 Jan 2018 00:16:22 GMT</pubDate>
    <dc:creator>SplunkShawnCt</dc:creator>
    <dc:date>2018-01-20T00:16:22Z</dc:date>
    <item>
      <title>Splunk Perfmon misreporting W3WP processes consuming 100% cpu</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-Perfmon-misreporting-W3WP-processes-consuming-100-cpu/m-p/321410#M93479</link>
      <description>&lt;P&gt;This is the inputs collecting data.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[perfmon://Process]
counters = % Processor Time; ID Process; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 420
object = Process
useEnglishOnly=true
index = perfmon
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The % Processor Time has worked very reliably in windows 2008 but since upgrading to 2016 it is often reporting various W3WP running at Value 100. (This alert averages over the last 2 hours and alerts only if the value is over 90) &lt;/P&gt;

&lt;P&gt;Logging onto the server, monitoring with perfmon or typeperf show that all w3wp processes are running under 5% continuously as we are not as of yet utilizing these servers.&lt;/P&gt;

&lt;P&gt;This looks to be a problem specific to splunk. Is there anything in that stanza that looks incorrect? Anyone have any insight as to what might be going on here?  I would like to reliably track CPU usage of processes.&lt;/P&gt;

&lt;P&gt;An example event, this process is running at 0% but splunk is reporting 100?&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;01/19/2018 17:21:51.191 -0500
collection=Process
object=Process
counter="% Processor Time"
instance=w3wp#3
Value=100

host =  W2K16Server     
    index = perfmon     
    source =    Perfmon:Process     
    sourcetype =    Perfmon:Process     
    splunk_server = SplunkIndexerServer21
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Sat, 20 Jan 2018 00:16:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-Perfmon-misreporting-W3WP-processes-consuming-100-cpu/m-p/321410#M93479</guid>
      <dc:creator>SplunkShawnCt</dc:creator>
      <dc:date>2018-01-20T00:16:22Z</dc:date>
    </item>
  </channel>
</rss>

