topic Re: How to display top 10 CPU intensive windows processes using Splunk Dashboard in Dashboards & Visualizations

How to display top 10 CPU intensive windows processes using Splunk Dashboard

rahulsaxena015 — Tue, 29 Sep 2020 17:13:16 GMT

Hi Team,

I am developing a dashboard that will list Windows Processes that are CPU intensive. My query looks like below:

index=platform_connect_os earliest=-5m host=host* source="Perfmon:Process" counter="% Processor Time" (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as "CPU Time by Host" by host ,instance| sort 0 -host,-AvgValue | streamstats count as sno by host | where sno>4 | fields - sno

I am getting the below output:

Can someone confirm whether the results are correct or not? What is the unit of CPU Time by Host. I can't understand these numbers. Basically i want to display something like below:

I want to list process followed by CPU in human readable format in Splunk dashboard.

Please help.

Thanks,
Rahul

Re: How to display top 10 CPU intensive windows processes using Splunk Dashboard

adonio — Tue, 12 Dec 2017 16:03:56 GMT

hello there,

you are on the right track, leveraging the right values and fields.
can you elaborate on what is it exactly you would like to accomplish? its hard for me to understand if you would like to see cpu by a single host? across hosts? per process?
worthwhile to pay attention to your perfmon counter pull interval, check in inputs.conf.
lastly, many articles about your use case, start here:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorWindowsperformance
describes some caveats on this particular counter (roll almost all the way down)
and more articles and answers:
https://answers.splunk.com/answers/122302/how-to-get-a-good-measure-of-load-or-cpu-utilization-in-windows.html
https://www.octamis.com/octamis-blog/windows-performance-monitoring-tips-with-splunk/
there are plenty more out there

hope it helps

Re: How to display top 10 CPU intensive windows processes using Splunk Dashboard

rahulsaxena015 — Wed, 13 Dec 2017 04:33:47 GMT

Thanks for your response. I want to list processes that are consuming CPU when CPU usage goes to >=70%.

Eg. Say if McAfee is utilizing max CPU usage i should be able to see that in my dashboard.

My current query results CPU Time as 21.2222 but i want it to display in %. Say if McAfee is using 75% of CPU, i should be able to see on Dashboard McAfee under Instance and 75% under CPU Time by Host

Hope it clarifies.

Re: How to display top 10 CPU intensive windows processes using Splunk Dashboard

rahulsaxena015 — Tue, 29 Sep 2020 17:13:59 GMT

Based on your suggestions i added wmi.conf file and executed below query:

index=windows host=host* sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| stats avg(cputime) as cputime by _time,host,Name
| rex field=Name "(?[^#]*)#{0,}"
| stats sum(cputime) as cputime by _time,host,Command
| timechart limit=50 useother=f avg(cputime) as cputime by Command

This query returns an error: "Error in 'rex' command: Encountered the following error while compiling the regex '(?[^#]*)#{0,}': Regex: unrecognized character after (? or (?- "

I am not sure where in regex it is failing. Can you help please?

At the same time if i execute the following query, it works without any problem:

index=windows hosts=host* sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart limit=50 useother=f avg(cputime) by Name