topic Re: help for monitoring a CPU abnormally charge following lasting conditions in Monitoring Splunk

help for monitoring a CPU abnormally charge following lasting conditions

jip31 — Sat, 06 Jun 2020 02:07:49 GMT

I use the search below in order to monitore the processes which use more than 80% of CPU

index="TUTU" sourcetype="perfmonmk:process" 
| where process_cpu_used_percent>80

But I want to monitore only the processes > 80% of CPU which last at least one minutes or more and to display it in a timechart
could you help me please??
thanks

Re: help for monitoring a CPU abnormally charge following lasting conditions

deepashri_123 — Wed, 30 Sep 2020 00:35:35 GMT

Hey@jip31,

Can you try using avg(process_cpu_used_percent) and use bin _time span=1m and then try using where.
Let me know if this helps!!

Re: help for monitoring a CPU abnormally charge following lasting conditions

jip31 — Wed, 30 Sep 2020 00:37:55 GMT

hi
thanks
i have done this but i dont understand how to use bin_time?
I would also like to have only the last 10 events
index="test" sourcetype="perfmonmk:process"
| timechart span=1m avg(process_cpu_used_percent) as process_cpu_used_percent by host where process_cpu_used_percent>80 limit=10
could you help me pelase??

Re: help for monitoring a CPU abnormally charge following lasting conditions

DavidHourani — Mon, 20 May 2019 07:49:21 GMT

Hi @jip31,

Nice index name ^^

This query is correct :

index="TUTU" sourcetype="perfmonmk:process" 
| timechart span=1m avg(process_cpu_used_percent) as process_cpu_used_percent by host where process_cpu_used_percent>80 limit=10

If you want to use bucket you can use it like this :

 index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time | head 10

Cheers,
David

Re: help for monitoring a CPU abnormally charge following lasting conditions

jip31 — Wed, 30 Sep 2020 00:37:59 GMT

hi david

when I add bin _time J have the message : the specifier bin_time is invalid. It must be in form (). For example : max(size)
and I want to display ten events (host) in my timechart but only the last 10 events (host)
with head 10 i have ten events but not the last.....

Re: help for monitoring a CPU abnormally charge following lasting conditions

DavidHourani — Mon, 20 May 2019 09:57:10 GMT

ohhhh, sorry! hahah it's actually bucket 😄

 index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time | head 10

as for the last 10 you can use reverse :

index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time|reverse | head 10

Re: help for monitoring a CPU abnormally charge following lasting conditions

jip31 — Mon, 20 May 2019 10:46:34 GMT

thanks david
last question
my final search is :

index="tutu" sourcetype="perfmonmk:process" 
| where process_cpu_used_percent>80 
| bucket _time span=1m 
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time 
| eval process_cpu_used_percent =round(process_cpu_used_percent, 1)." %" 
| table _time host process_cpu_used_percent 
| dedup host 
| reverse 
| head 10

do you think its correct??

Re: help for monitoring a CPU abnormally charge following lasting conditions

DavidHourani — Mon, 20 May 2019 10:53:15 GMT

Looks good !

But I think you want to use your 80% filter after the stats that way it gets applied on the average, this should do :

 index="tutu" sourcetype="perfmonmk:process" 
 | bucket _time span=1m 
 | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time 
 | where process_cpu_used_percent>80 
 | eval process_cpu_used_percent =round(process_cpu_used_percent, 1)." %" 
 | dedup host 
 | reverse 
 | head 10

Re: help for monitoring a CPU abnormally charge following lasting conditions

DavidHourani — Mon, 20 May 2019 10:53:36 GMT

please upvote comments and accept answer if it was helpful ❤️