https://community.splunk.com/t5/Alerting/How-to-write-a-search-query-for-CPU/m-p/586945#M13532 <P>Hi,</P><P>I am trying to create a alert for cpu usage by using below query,</P><PRE>index=os host=cbtsv <BR />| stats latest(*) as * by host<BR />| table _time cpu_load_percent cpu_user_percent <BR />| eval CPU=cpu_load_percent+cpu_user_percent|stats avg(CPU) as percent by host</PRE><P>here Ii am trying to add 2 fields (CPU=CPU load + cpu user)<BR />but it is not giving results as expected<BR />I want an alert to be triggered when Avg value of CPU=(cpu_load + cpu user) exceeds 90%.<BR />How do I set the alert to meet the conditions above?<BR /><BR />Final output like</P><TABLE><TBODY><TR><TD><P><STRONG>Timestamp</STRONG></P></TD><TD><P><STRONG>Hostname</STRONG></P></TD><TD><P><STRONG>CPU</STRONG></P></TD><TD><P><STRONG>Status</STRONG></P></TD></TR><TR><TD>28/02/2022 21:58:00</TD><TD>cbtsv</TD><TD>90%</TD><TD>Critical</TD></TR></TBODY></TABLE><P>&nbsp;</P> Tue, 01 Mar 2022 08:49:20 GMT jackin 2022-03-01T08:49:20Z https://community.splunk.com/t5/Alerting/How-to-write-a-search-query-for-CPU/m-p/586945#M13532 <P>Hi,</P><P>I am trying to create a alert for cpu usage by using below query,</P><PRE>index=os host=cbtsv <BR />| stats latest(*) as * by host<BR />| table _time cpu_load_percent cpu_user_percent <BR />| eval CPU=cpu_load_percent+cpu_user_percent|stats avg(CPU) as percent by host</PRE><P>here Ii am trying to add 2 fields (CPU=CPU load + cpu user)<BR />but it is not giving results as expected<BR />I want an alert to be triggered when Avg value of CPU=(cpu_load + cpu user) exceeds 90%.<BR />How do I set the alert to meet the conditions above?<BR /><BR />Final output like</P><TABLE><TBODY><TR><TD><P><STRONG>Timestamp</STRONG></P></TD><TD><P><STRONG>Hostname</STRONG></P></TD><TD><P><STRONG>CPU</STRONG></P></TD><TD><P><STRONG>Status</STRONG></P></TD></TR><TR><TD>28/02/2022 21:58:00</TD><TD>cbtsv</TD><TD>90%</TD><TD>Critical</TD></TR></TBODY></TABLE><P>&nbsp;</P> Tue, 01 Mar 2022 08:49:20 GMT https://community.splunk.com/t5/Alerting/How-to-write-a-search-query-for-CPU/m-p/586945#M13532 jackin 2022-03-01T08:49:20Z https://community.splunk.com/t5/Alerting/How-to-write-a-search-query-for-CPU/m-p/586946#M13533 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/239496">@jackin</a>,</P><P>I suppose that you're taking logs using the Splunk_TA-nix.</P><P>Anyway, please try a search like this:</P><LI-CODE lang="markup">index=os host=cbtsv | stats avg(cpu_load_percent) as cpu_load_percent avg(cpu_user_percent) AS cpu_user_percent BY host | eval CPU=cpu_load_percent+cpu_user_percent | table host CPU</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 01 Mar 2022 08:53:07 GMT https://community.splunk.com/t5/Alerting/How-to-write-a-search-query-for-CPU/m-p/586946#M13533 gcusello 2022-03-01T08:53:07Z https://community.splunk.com/t5/Alerting/How-to-write-a-search-query-for-CPU/m-p/587020#M13534 <P>Give this a try</P><LI-CODE lang="markup">index=os host=cbtsv | table _time cpu_load_percent cpu_user_percent | stats max(_time) as _time avg(cpu_load_percent) as cpu_load_percent avg(cpu_user_percent) AS cpu_user_percent by host | eval CPU=cpu_load_percent+cpu_user_percent | where CPU&gt;90 | eval Status="Critical" | eval CPU=CPU."%" rename host as Hostname | table _time Hostname CPU Status</LI-CODE> Tue, 01 Mar 2022 14:37:45 GMT https://community.splunk.com/t5/Alerting/How-to-write-a-search-query-for-CPU/m-p/587020#M13534 somesoni2 2022-03-01T14:37:45Z