high cpu over xtime alert

I want to create an alert when the cpu is at 50% or higher for greater than 5 mins.

I thought this would work, but it is not:

host=myhost sourcetype="PerfmonMk:Process" instance=java "%_Processor_Time">50
| bucket _time span=5m
| stats avg("%_Processor_Time") as CPU by _time
| where CPU>50


Tags (1)
0 Karma


I don't think you need the proccessor time filter in your base search. Let your stats worry about the calculation.

for similar requests, we've typically used min(). If the minimum over a period is greater than your threshold, then it was above your threshold the whole time. The avg() could be above the threshold even if it's dipping/spiking over that period.

0 Karma