So I updated my search to include an output

 sourcetype="perfmon:Windows__Processor" counter="% Processor Time" earliest=-13m latest=-1m
  | stats avg(Value)  as AvgProcessorTime by host
  | where AvgProcessorTime > 85 | outputcsv HighCpu.csv

this puts a csv file here:
S:\Program Files\Splunk\var\run\splunk\csv\HighCpu.csv

Now I have script that takes the host name from the csv

uses credentials and iisreset the host
and edits a text file with host that was reset and date and time

$servers = Import-Csv 'S:\Program Files\Splunk\var\run\splunk\csv\HighCpu.csv' | Select-Object -ExpandProperty "Host"

forEach ($servers in $servers)
{

$User = "*domain\username*" 
#$session = New-PSSession -ComputerName $servers -credential $mycreds 
$Scriptblock = {IISRESET /RESTART}
$secpasswd = ConvertTo-SecureString “*userpassword*” -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential  (“$User”, $secpasswd)

 "$servers initiated IISreset at $(Get-Date)" | Add-Content -Path 'S:\Temp\IISResetLogs.txt' 

Invoke-Command  $servers –Credential $mycreds  –ScriptBlock {iisreset /RESTART}
}

I put this script here:
S:\Program Files\Splunk\bin\scripts

My only issue is that the trigger is not starting the script
I tested manually and know the script takes the csv get host name iisreset the host and edits the log file

Hi Bobmccoy,

Write an custom script that can run the rest / curl / splunk search from the backend and get the results and play with it.

cheers!