Archive

Splunk Perfmon misreporting W3WP processes consuming 100% cpu

SplunkShawnCt
Explorer

This is the inputs collecting data.

[perfmon://Process]
counters = % Processor Time; ID Process; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 420
object = Process
useEnglishOnly=true
index = perfmon

The % Processor Time has worked very reliably in windows 2008 but since upgrading to 2016 it is often reporting various W3WP running at Value 100. (This alert averages over the last 2 hours and alerts only if the value is over 90)

Logging onto the server, monitoring with perfmon or typeperf show that all w3wp processes are running under 5% continuously as we are not as of yet utilizing these servers.

This looks to be a problem specific to splunk. Is there anything in that stanza that looks incorrect? Anyone have any insight as to what might be going on here? I would like to reliably track CPU usage of processes.

An example event, this process is running at 0% but splunk is reporting 100?

01/19/2018 17:21:51.191 -0500
collection=Process
object=Process
counter="% Processor Time"
instance=w3wp#3
Value=100

host =  W2K16Server     
    index = perfmon     
    source =    Perfmon:Process     
    sourcetype =    Perfmon:Process     
    splunk_server = SplunkIndexerServer21
Tags (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!