Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help with query, transactions and percentage. Need it for Alerting.

Rialf1959
Explorer
‎08-08-2017 01:07 AM

Hello, I need help with this query. Cpu_percent field return values in percentage, so it might be a problem.
Basically i need to find all containers where cpu_percent usage is above 50% during 5mins and print some fields. I need it for realtime alerting. I am using ta-dockerstats addon.
This is my first query 😞

My example:

index=main source="docker_stats" host=* |stats last(cpu_percent) as CPU by container_id |where CPU> 30 | transaction host, container_id, CPU > 30 maxpause=5m | where duration>300 | fields _time, duration, host, CPU, container_id

Thanks

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎08-08-2017 07:45 AM

DO NOT use realtime for this. Not only will it not work properly, but it kills your performance.

0 Karma
Reply

cmerriman
Super Champion
‎08-08-2017 04:42 AM

Alright, so from what i can see, it looks like you're filtering out the cpu_percent that's greater than 30% by container_id and then running a transaction where the events are 5 minutes apart and also only last 5 minutes.

Is this an alert running every 5 minutes? if so, try something like this:

index=main source="docker_stats" host=* earliest=-5m|stats last(cpu_percent) as CPU by container_id |search CPU>50| fields _time, host, CPU, container_id

if you need it ran for a longer duration of time:

index=main source="docker_stats" host=*|eventstats last(cpu_percent) as CPU by container_id| transaction host, container_id maxspan=5m maxpause=5m|search CPU>50 | fields _time, duration, host, CPU, container_id
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...