https://community.splunk.com/t5/Splunk-Search/CPU-Utilization-Query/m-p/96046#M24793 <P>Use Monitoring Console builtin since Splunk 6.5. It is a great feature.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.0.0/DMC/DMCoverview">https://docs.splunk.com/Documentation/Splunk/7.0.0/DMC/DMCoverview</A></P> Wed, 22 Nov 2017 23:43:14 GMT jrprez1804 2017-11-22T23:43:14Z https://community.splunk.com/t5/Splunk-Search/CPU-Utilization-Query/m-p/96044#M24791 <P>I am using this query to Fetch CPU Utilization details</P> <P>index=os sourcetype="cpu" | multikv forceheader=1 | eval human_readable_time=strftime(_time, "%Y-%d-%m %H:%M:%S") | eval percentageCPUUtil = 100 - pctIdle | table human_readable_time,host,percentageCPUUtil,pctIdle</P> <P>But for particular time and for the same host , we are getting multiple rows, Below is the ouput</P> <P>human_readable_time,host,percentageCPUUtil,pctIdle<BR /> 2012-19-03 03:44:58,edb1crsapppex45,2.16,97.84<BR /> 2012-19-03 03:44:58,edb1crsapppex45,1.00,99.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.99,99.01<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,5.94,94.06<BR /> 2012-19-03 03:44:58,edb1crsapppex45,2.00,98.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,1.98,98.02<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,3.00,97.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,9.00,91.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,28.00,72.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00<BR /> 2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00</P> <P>If we notice the output, for the same time and same host, we are getting multiple Rows. So which row should be assume is the Percentage CPU Utilization. </P> <P>But if we add | search CPU=all | in the query, then output we are getting is fine.</P> <P>Kindly Suggest. </P> Mon, 28 Sep 2020 11:32:18 GMT https://community.splunk.com/t5/Splunk-Search/CPU-Utilization-Query/m-p/96044#M24791 kuldeepsingh99 2020-09-28T11:32:18Z https://community.splunk.com/t5/Splunk-Search/CPU-Utilization-Query/m-p/96045#M24792 <P>Probably your host has a multicore CPU or several CPUs so in this case you have utilization for each core. Like a solution you can add core number to output and calculate utilization for each core or calculate average value of all rows or use just CPU=all</P> Tue, 20 Mar 2012 09:54:03 GMT https://community.splunk.com/t5/Splunk-Search/CPU-Utilization-Query/m-p/96045#M24792 Vladimir 2012-03-20T09:54:03Z https://community.splunk.com/t5/Splunk-Search/CPU-Utilization-Query/m-p/96046#M24793 <P>Use Monitoring Console builtin since Splunk 6.5. It is a great feature.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.0.0/DMC/DMCoverview">https://docs.splunk.com/Documentation/Splunk/7.0.0/DMC/DMCoverview</A></P> Wed, 22 Nov 2017 23:43:14 GMT https://community.splunk.com/t5/Splunk-Search/CPU-Utilization-Query/m-p/96046#M24793 jrprez1804 2017-11-22T23:43:14Z