topic Re: splunk search query for CPU usage in Splunk Search

splunk search query for CPU usage

Atul1507 — Wed, 29 Dec 2021 10:51:10 GMT

Hi i am new to splunk.
i have splink event like this
" system CPU | 6.039 % | system time | 0.009 % |

how can i get avg CPU % usage value against index type ? via report or dashboards.

Re: splunk search query for CPU usage

gcusello — Wed, 29 Dec 2021 11:00:50 GMT

if you have many evevnts like the one you shared, do you want to calculate the average or the max value of CPU usage?

supposing that you already have the extraction of the CPU usave percentage, in numbers (without the % char)) and If average, please, try something like this:

index=* | stats avg(CPU_perc) AS CPU_perc BY index

If instead you didn't extracted the CPU_perc field, please try something like this (always calculating average):

index=* | rex "system CPU\|(?<CPU_perc>[^ ]+)\s+\%" | eval CPU_perc=tonumber(CPU_perc) | stats avg(CPU_perc) AS CPU_perc BY index

Ciao.

Giuseppe

Re: splunk search query for CPU usage

Atul1507 — Wed, 29 Dec 2021 11:23:13 GMT

i tried these query ..but not seeing any output in CPU_perc field.

Re: splunk search query for CPU usage

gcusello — Wed, 29 Dec 2021 11:27:23 GMT

Hi @Atul1507,

please, what out do you have in

index=* | rex "system CPU\|(?<CPU_perc>\d+)\s+\%" | table CPU_perc

if you haven't any result, the field extraction is wrong, in this case, please share more examples of your data.

If instead you have results, please share some of them.

Ciao.

Giuseppe

Re: splunk search query for CPU usage

Atul1507 — Wed, 29 Dec 2021 11:51:01 GMT

cant share more details as its client server.

but there is no field extracted for CPU

Re: splunk search query for CPU usage

gcusello — Wed, 29 Dec 2021 15:15:54 GMT

hi @Atul1507,

please, send some log, masking the relevant data (e.g. hostname or IP address), but maintain the data structure.

Ciao.

Giuseppe

Re: splunk search query for CPU usage

Atul1507 — Thu, 30 Dec 2021 13:43:58 GMT

Re: splunk search query for CPU usage

gcusello — Tue, 04 Jan 2022 07:58:00 GMT

Hi @Atul1507,

please try this sample:

Ciao.

Giuseppe

Re: splunk search query for CPU usage

Atul1507 — Tue, 04 Jan 2022 07:08:46 GMT

Thanks,

But this query seems to be specefic to fix inputs.....while all this values are subjecteedd to change dynamically.

What i want to calculate average % usage of field "system CPU".

I HAVE other fields extracted like : index type,host,sourcetype.

so i can create dasboards for cpu usage by index type,host,sourcetype.

Note: we dont have extracted field for cpu percentage (CPU_perc)

Re: splunk search query for CPU usage

isoutamo — Tue, 04 Jan 2022 07:14:45 GMT

Hi
In @gcusello 's answer, he will use your given data as a sample. That was lines between makeresults ... rex. In real life you should add from "| rex ..." after that SPL which you are using to generate that sample data. And as you probably have this data on "field" _raw then you should remove field=ppp from rex or replace it as "field = _raw" (or what ever that field is where you sample data is).

Yes, you can generate that data on dashboard with stats ... by index, host, sourcetype.
r. Ismo

Re: splunk search query for CPU usage

gcusello — Tue, 04 Jan 2022 07:57:25 GMT

Hi @Atul1507,

as @isoutamo said (thanks to @isoutamo), in my answer you have to find the approach to solve your need, not the full solution to all your needs, also because I can only a subset of your real data.

As he said, I used the | makeresults rows to have your data in my search, but in your real condition, you surely have a search that extract the data to use in this search.

So, analyze my answer to understand the approach to follow and adapt it to your real situation:

extract all the fields you need, not only the one I used in the sample,
use, in the stats command, the BY cause to group the results for index or host or sourcetype, etc...

Ciao.

Giuseppe