Solved: How to write a search query for CPU

jackin · ‎03-01-2022

Hi,

I am trying to create a alert for cpu usage by using below query,

index=os host=cbtsv 
| stats latest(*) as * by host
| table _time cpu_load_percent cpu_user_percent 
| eval CPU=cpu_load_percent+cpu_user_percent|stats avg(CPU) as percent by host

here Ii am trying to add 2 fields (CPU=CPU load + cpu user)
but it is not giving results as expected
I want an alert to be triggered when Avg value of CPU=(cpu_load + cpu user) exceeds 90%.
How do I set the alert to meet the conditions above?

Final output like

Timestamp	Hostname	CPU	Status
28/02/2022 21:58:00	cbtsv	90%	Critical

gcusello · ‎03-01-2022

Hi @jackin,

I suppose that you're taking logs using the Splunk_TA-nix.

Anyway, please try a search like this:

index=os host=cbtsv 
| stats avg(cpu_load_percent) as cpu_load_percent avg(cpu_user_percent) AS cpu_user_percent BY host
| eval CPU=cpu_load_percent+cpu_user_percent
| table host CPU

Ciao.

Giuseppe

View solution in original post

somesoni2 · ‎03-01-2022

Give this a try

index=os host=cbtsv 
| table _time cpu_load_percent cpu_user_percent 
| stats max(_time) as _time avg(cpu_load_percent) as cpu_load_percent avg(cpu_user_percent) AS cpu_user_percent 
 by host
| eval CPU=cpu_load_percent+cpu_user_percent 
| where CPU>90 | eval Status="Critical" | eval CPU=CPU."%" rename host as Hostname
| table _time Hostname CPU Status

gcusello · ‎03-01-2022

Hi @jackin,

I suppose that you're taking logs using the Splunk_TA-nix.

Anyway, please try a search like this:

index=os host=cbtsv 
| stats avg(cpu_load_percent) as cpu_load_percent avg(cpu_user_percent) AS cpu_user_percent BY host
| eval CPU=cpu_load_percent+cpu_user_percent
| table host CPU

Ciao.

Giuseppe

How to write a search query for CPU

alert action

alert condition

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup