topic Re: Requesting Assistance Writing a Search Request in Splunk Search

Requesting Assistance Writing a Search Request

dharveynswccd — Wed, 04 Dec 2019 20:23:20 GMT

I am writing a search which I intend to use to create an alert from. I keep getting "No Results" from this search unless I remove the third line (where Percent.........). Something is wrong with that filter but I can't seem to figure out what it is.

Here is the search:

index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time"
| eval level=if(PercentUsedSpace>=90,"CRITICAL",if(PercentUsedSpace>=80,"WARNING",""))
| where PercentUsedSpace >=80
| table level _time host Value
| sort - PercentUsedSpace
| dedup host
| rename level as severity

My intended result is something like this:
Severity Time Host Value

I would like to convert the results in the field to actual percentages.

Any help is appreciated. Thanks

Re: Requesting Assistance Writing a Search Request

dharveynswccd — Wed, 04 Dec 2019 20:25:48 GMT

Edit: The second to last line here should read:

I would like to convert the results in the "Value" field to actual percentages

Re: Requesting Assistance Writing a Search Request

DavidHourani — Wed, 04 Dec 2019 21:35:54 GMT

Hello @dharveynswccd,

Try this :

index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time" PercentUsedSpace>=80
| stats values(Value) as Value by PercentUsedSpace, host , _time
| eval level=if(PercentUsedSpace>=90,"CRITICAL",if(PercentUsedSpace>=80,"WARNING",""))
| rename level as severity

Cheers,
David

Re: Requesting Assistance Writing a Search Request

dharveynswccd — Thu, 05 Dec 2019 12:58:52 GMT

@DavidHourani,
Thanks for the response to my question. Unfortunately I received the "no results" even after changing the Warning and Critical values to much lower numbers.

Re: Requesting Assistance Writing a Search Request

DavidHourani — Thu, 05 Dec 2019 13:17:14 GMT

umm..weird..

Does the first line alone give you anything ?

 index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time" PercentUsedSpace>=80

Re: Requesting Assistance Writing a Search Request

DavidHourani — Thu, 05 Dec 2019 13:19:00 GMT

Wait now that I read it again, why are you filtering on used space when all your counters are linked to CPU ? The field PercentUsedSpace is not even part of your events is it ?

Re: Requesting Assistance Writing a Search Request

dharveynswccd — Wed, 30 Sep 2020 03:15:51 GMT

You are indeed correct. Earlier when I was writing the search I followed the auto-complete in the search bar which led me to that. I just changed that to windows_cpu_load_percent and I am now seeing results, even writing the search 2 different ways. I still need to dumb it down a little but the 2 below seem to work:

I'm still trying to determine how to convert a decimal to a whole number in the percentage column. Any thoughts on this?

Re: Requesting Assistance Writing a Search Request

DavidHourani — Thu, 05 Dec 2019 13:49:25 GMT

Ah that's great, glad you found the error there... really weird when the autocorrect happens.

You can use the round function. something like this :

|eval windows_cpu_load_percent=round(windows_cpu_load_percent,0)

Re: Requesting Assistance Writing a Search Request

dharveynswccd — Thu, 05 Dec 2019 14:11:30 GMT

Worked! Thanks for the assists!!

Re: Requesting Assistance Writing a Search Request

dharveynswccd — Thu, 05 Dec 2019 14:13:25 GMT

David I awarded you 2 points. Hope that's a good reward. Not sure what the norm is.

Re: Requesting Assistance Writing a Search Request

DavidHourani — Thu, 05 Dec 2019 14:18:40 GMT

Thank you ! 😄

Usually if you up-vote any comment/question/answer that gives 15 karma the person who posted it. If you Accept an answer that is 25 karma. So if you're into gathering karma point, just upvote and accept and keep your points ^^

Re: Requesting Assistance Writing a Search Request

dharveynswccd — Thu, 05 Dec 2019 14:40:07 GMT

Good 2 know