Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert on overall %CPU on multicore Solaris server?

davidl64
New Member
‎11-02-2012 01:05 PM

I have a saved search that goes like this:

index=os sourcetype=cpu host=* | multikv fields pctIdle | eval Percent_CPU_Load = 100 - pctIdle | search host="birdhouse" | where Percent_CPU_Load > 80

My intent was to receive an alert if the overall CPU load of the server is over 80%. However, it seems this string will trigger if any single core is over 80%, since it is reading mpstat data and seems to trigger for each line if result is over 80. Leaving aside for the moment that cpu.sh cuts off Core #0, is there a way I can trigger on the average of all the cores?

Thanks,
DL

Tags (2)
0 Karma
Reply

sunilsk1
Path Finder
‎08-24-2013 11:19 PM

Did this work for you ?
I tried the same but do not see any results

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-04-2012 09:51 PM 
index=os sourcetype=cpu host=birdhouse | multikv fields pctIdle | eval Percent_CPU_Load = 100 - pctIdle | stats avg(Percent_CPU_Load) as Percent_CPU_Load by host | where Percent_CPU_Load > 80
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...