Archive

Trying to chart process over time unsuccessfully with CPU query

Explorer

Able to get the expected value running this query, however how would I plot this over time as a timechart?

sourcetype=Script:RunningProc eventtype=Security-proc1 | appendpipe [stats avg(CPUPct) as "CPU %" by Instance] | stats sum(CPU %)

output:
sum(CPU %)
0.156074

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this

sourcetype=Script:RunningProc eventtype=Security-proc1
| timechahrt avg(CPUPct) by instance

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this

sourcetype=Script:RunningProc eventtype=Security-proc1
| timechahrt avg(CPUPct) by instance

View solution in original post

0 Karma

Explorer

Thanks for the response somesoni2, however in order to produce the accurate value, the | stats sum(CPU %) needs to be included in the query. (issues with the way windows perfmon passes cpu data). looking to timechart the result sum(CPU % over a period of time and having no luck.

sourcetype=Script:RunningProc eventtype=Security-proc1 | appendpipe [stats avg(CPUPct) as "CPU %" by Instance] | stats sum(CPU %)

output:
sum(CPU %)
0.156074

0 Karma

SplunkTrust
SplunkTrust

How about this? (update span value in bucket command and timechart command per your need)

sourcetype=Script:RunningProc eventtype=Security-proc1 | bucket span=15m _time | stats avg(CPUPct) as "CPU %" by _time instance | timechart span=15m sum("CPU %")  as "CPU %"
0 Karma

Explorer

This seemed to work perfectly, thank you somesoni2

0 Karma