https://community.splunk.com/t5/Splunk-Search/Splunk-CPU-Usage-Query/m-p/652699#M225571 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/259130">@sheepIT</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 01 Aug 2023 12:21:35 GMT gcusello 2023-08-01T12:21:35Z https://community.splunk.com/t5/Splunk-Search/Splunk-CPU-Usage-Query/m-p/652406#M225494 <P>Hello all,</P><P>&nbsp;</P><P>I am relatively new to Splunk, having just inherited a whole Splunk environment due to our former Splunk Admin leaving. I'm having issues with setting up a dashboard that returns the top 10 windows hosts with the most CPU usage, essentially I need a query that would calculate and return that.&nbsp; I can find the windows hosts under the _internal and perfmon indexes.&nbsp;</P><P>I managed to find and customize this query:</P><P>index=perfmon object=Process counter="%_Processor_Time" host=WINSERVER1 earliest=-2m latest=now NOT instance IN(_Total,Idle,System)<BR />| stats perc90(Value) as Value by host<BR />| top limit=10 Value by host</P><P>&nbsp;</P><P>However, it returns all the hosts in the index, and not the top 10 hosts with the highest CPU usage. Also comparing the CPU usage, it seems like it is incorrect, as when I open task manager and compare, they are noticeably different, so it makes me wonder if my calculation is off? Or what calculation would be most accurate in determining the CPU usage of individual hosts?&nbsp;</P> Fri, 28 Jul 2023 17:11:13 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-CPU-Usage-Query/m-p/652406#M225494 sheepIT 2023-07-28T17:11:13Z https://community.splunk.com/t5/Splunk-Search/Splunk-CPU-Usage-Query/m-p/652434#M225503 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/259130">@sheepIT</a>,</P><P>you have two solutions:</P><UL><LI>the top command,</LI><LI>the stats and sort commands:</LI></UL><P>top command</P><LI-CODE lang="markup">index=perfmon object=Process counter="%_Processor_Time" host=WINSERVER1 earliest=-2m latest=now NOT instance IN(_Total,Idle,System) | top perc90(Value) as Value by host limit=10</LI-CODE><P>stats and sort commands</P><LI-CODE lang="markup">index=perfmon object=Process counter="%_Processor_Time" host=WINSERVER1 earliest=-2m latest=now NOT instance IN(_Total,Idle,System) | stats perc90(Value) as Value by host | sort 10 BY Value</LI-CODE><P>the first is easier but I usually use the second solution.</P><P>Ciao.</P><P>Giuseppe</P> Sat, 29 Jul 2023 05:19:26 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-CPU-Usage-Query/m-p/652434#M225503 gcusello 2023-07-29T05:19:26Z https://community.splunk.com/t5/Splunk-Search/Splunk-CPU-Usage-Query/m-p/652563#M225543 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>I used most of what you did, along with some functions I found and now have it like this.</P><P>index=perfmon object=Process counter="%_Processor_Time" host=WINSERVER1 earliest=-2m latest=now NOT instance IN(_Total,Idle,System)<BR />| stats perc90(Value) as Value by host</P><P>| eval Value=round(Value,2)<BR />| sort -Value | head 10<BR /><BR /></P> Mon, 31 Jul 2023 16:26:25 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-CPU-Usage-Query/m-p/652563#M225543 sheepIT 2023-07-31T16:26:25Z https://community.splunk.com/t5/Splunk-Search/Splunk-CPU-Usage-Query/m-p/652646#M225557 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/259130">@sheepIT</a>,</P><P>is it ok for you?</P><P>Ciao.</P><P>Giuseppe</P> Tue, 01 Aug 2023 05:51:48 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-CPU-Usage-Query/m-p/652646#M225557 gcusello 2023-08-01T05:51:48Z https://community.splunk.com/t5/Splunk-Search/Splunk-CPU-Usage-Query/m-p/652699#M225571 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/259130">@sheepIT</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 01 Aug 2023 12:21:35 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-CPU-Usage-Query/m-p/652699#M225571 gcusello 2023-08-01T12:21:35Z