How do I alert when cpu usage is more than 90% sin...

avni26 · ‎09-24-2019

Hi,
I want to alert when cpu usage percentage is more than 90% since 15 or more minutes.
Or we can say ,alert after 3 iterations of same having usage more than 80%
I am trying this,
index="idx2" source="Cpu.sh" | eval usage=(100-idle)
| stats latest(usage) as "usage" max(idle) as "idle" latest(_time) as time by host | eval time= strftime(time,"%d-%m-%y %H:%M:%S") | table time host usage idle | where usage>90
And alert is scheduled for every 5 minutes and for last 15 minutes duration.
But alert keep triggering immediately when CPU util shows >=90% utilization.
Please suggest ,if it to alert only if utilization is >90% for 15minutes or more.

adonio · ‎09-24-2019

try this anywhere to understand the technique using streamstas to capture streaming statistics as data flows
alert on the field min_cpu
you can use other functions as well:

    | gentimes start=-1 increment=5m
    | eval cpu = random()%20 + 80
    | eval _time = starttime 
    | head 30
    | table _time cpu
    | rename COMMENT as "the above generates data below is the solution" 
    | sort _time
    | streamstats time_window=15m min(cpu) as min_cpu

read more about the command here:
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Streamstats

hope it helps

How do I alert when cpu usage is more than 90% since 15 or more minutes

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor