https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/536954#M10157 <P>Hi,</P><P>Could someone please help me with the Alert for High Memory Usage Per Process</P><P>Whenever the memory used per process is higher that 90% then trigger an alert.</P><P>Below is the query which I tried but not working.</P><P>index="index" &nbsp; sourcetype="PerfmonMk:Process" process_name="sqlservr"<BR />| eval Proc_Mem_mb = process_mem_used / (1024 * 1024)<BR />| fields Proc_Mem_mb process_name host _time<BR />| join host [ search index="index2" sourcetype="WinHostMon" Type=OperatingSystem | eval Tot_Mem_mb = TotalPhysicalMemoryKB/1024 | fields host Tot_Mem_mb ]<BR />| eval high_mem_per_proc = ( (Proc_Mem_mb/Tot_Mem_mb) * 100 )<BR />| eval AlertStatus=if(high_mem_per_proc &gt; 90, "Alert", "Ignore")<BR />|table _time host process_name Tot_Mem_mb Proc_Mem_mb high_mem_per_proc AlertStatus<BR />| search AlertStatus="Alert"</P><P>&nbsp;</P> Sun, 24 Jan 2021 17:27:55 GMT Supriya 2021-01-24T17:27:55Z https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/536954#M10157 <P>Hi,</P><P>Could someone please help me with the Alert for High Memory Usage Per Process</P><P>Whenever the memory used per process is higher that 90% then trigger an alert.</P><P>Below is the query which I tried but not working.</P><P>index="index" &nbsp; sourcetype="PerfmonMk:Process" process_name="sqlservr"<BR />| eval Proc_Mem_mb = process_mem_used / (1024 * 1024)<BR />| fields Proc_Mem_mb process_name host _time<BR />| join host [ search index="index2" sourcetype="WinHostMon" Type=OperatingSystem | eval Tot_Mem_mb = TotalPhysicalMemoryKB/1024 | fields host Tot_Mem_mb ]<BR />| eval high_mem_per_proc = ( (Proc_Mem_mb/Tot_Mem_mb) * 100 )<BR />| eval AlertStatus=if(high_mem_per_proc &gt; 90, "Alert", "Ignore")<BR />|table _time host process_name Tot_Mem_mb Proc_Mem_mb high_mem_per_proc AlertStatus<BR />| search AlertStatus="Alert"</P><P>&nbsp;</P> Sun, 24 Jan 2021 17:27:55 GMT https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/536954#M10157 Supriya 2021-01-24T17:27:55Z https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/536963#M10158 <P>Please explain what "not working" means.&nbsp; What is not working?&nbsp; Does the query not find results or the alert not fire or something else?&nbsp; Have you confirmed at least one process is using 90% of memory?</P><P>May I suggest these lines to replace the last four?</P><LI-CODE lang="markup">| eval high_mem_per_proc = (Proc_Mem_mb * 100)/Tot_Mem_mb | where high_mem_per_proc &gt; 90 | table _time host process_name Tot_Mem_mb Proc_Mem_mb high_mem_per_proc AlertStatus</LI-CODE> Sun, 24 Jan 2021 19:37:51 GMT https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/536963#M10158 richgalloway 2021-01-24T19:37:51Z https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/537101#M10164 <DIV class="lia-message-author-avatar lia-component-author-avatar lia-component-message-view-widget-author-avatar"><DIV class="UserAvatar lia-user-avatar lia-component-common-widget-user-avatar"><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P></DIV></DIV><DIV class="lia-message-author-with-avatar"><SPAN class="UserName lia-user-name lia-user-rank-SplunkTrust lia-component-message-view-widget-author-username"><A href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957" target="_self"><SPAN class="login-bold">@richgalloway</SPAN></A></SPAN></DIV><P>&nbsp;- Thank you for responding</P><P>Below is the screenshot of my results and high_mem_per_proc is not giving exact results</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Supriya_1-1611601707778.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12658i662BF9D8254DEB7E/image-size/medium?v=v2&amp;px=400" role="button" title="Supriya_1-1611601707778.png" alt="Supriya_1-1611601707778.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 25 Jan 2021 19:08:37 GMT https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/537101#M10164 Supriya 2021-01-25T19:08:37Z https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/537209#M10165 <P>According to my calculator, the high_mem_per_proc field is exactly what it should be.&nbsp; What result are you expecting?</P> Tue, 02 Feb 2021 19:20:49 GMT https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/537209#M10165 richgalloway 2021-02-02T19:20:49Z https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/538315#M10184 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>we observed that process_mem_used data is not being sent to splunk.</P><P>Could you please provide Stanza to add in input.conf</P><P>&nbsp;</P> Tue, 02 Feb 2021 17:24:53 GMT https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/538315#M10184 Supriya 2021-02-02T17:24:53Z https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/538460#M10190 <P>process_mem_used is a calculated field defined by the splunk_TA_nix and splunk_TA_windows apps.&nbsp; It's part of the ps and Perfmon:Process sourcetypes.</P> Wed, 03 Feb 2021 13:36:55 GMT https://community.splunk.com/t5/Alerting/Windows-High-Memory-Usage-Per-Process-Alert/m-p/538460#M10190 richgalloway 2021-02-03T13:36:55Z