Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display top 10 CPU intensive windows processes using Splunk Dashboard

rahulsaxena015
New Member
‎12-12-2017 03:17 AM

Hi Team,

I am developing a dashboard that will list Windows Processes that are CPU intensive. My query looks like below:

index=platform_connect_os earliest=-5m host=host* source="Perfmon:Process" counter="% Processor Time" (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as "CPU Time by Host" by host ,instance| sort 0 -host,-AvgValue | streamstats count as sno by host | where sno>4 | fields - sno

I am getting the below output:
alt text

Can someone confirm whether the results are correct or not? What is the unit of CPU Time by Host. I can't understand these numbers. Basically i want to display something like below:
alt text

I want to list process followed by CPU in human readable format in Splunk dashboard.

Please help.

Thanks,
Rahul

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

rahulsaxena015
New Member
‎12-13-2017 03:38 AM

Based on your suggestions i added wmi.conf file and executed below query:

index=windows host=host* sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| stats avg(cputime) as cputime by _time,host,Name
| rex field=Name "(?[^#]*)#{0,}"
| stats sum(cputime) as cputime by _time,host,Command
| timechart limit=50 useother=f avg(cputime) as cputime by Command

This query returns an error: "Error in 'rex' command: Encountered the following error while compiling the regex '(?[^#]*)#{0,}': Regex: unrecognized character after (? or (?- "

I am not sure where in regex it is failing. Can you help please?

At the same time if i execute the following query, it works without any problem:

index=windows hosts=host* sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart limit=50 useother=f avg(cputime) by Name

0 Karma
Reply

adonio
Ultra Champion
‎12-12-2017 08:03 AM

hello there,

you are on the right track, leveraging the right values and fields.
can you elaborate on what is it exactly you would like to accomplish? its hard for me to understand if you would like to see cpu by a single host? across hosts? per process?
worthwhile to pay attention to your perfmon counter pull interval, check in inputs.conf.
lastly, many articles about your use case, start here:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorWindowsperformance
describes some caveats on this particular counter (roll almost all the way down)
and more articles and answers:
https://answers.splunk.com/answers/122302/how-to-get-a-good-measure-of-load-or-cpu-utilization-in-wi...
https://www.octamis.com/octamis-blog/windows-performance-monitoring-tips-with-splunk/
there are plenty more out there

hope it helps

0 Karma
Reply

rahulsaxena015
New Member
‎12-12-2017 08:33 PM

Thanks for your response. I want to list processes that are consuming CPU when CPU usage goes to >=70%.

Eg. Say if McAfee is utilizing max CPU usage i should be able to see that in my dashboard.

My current query results CPU Time as 21.2222 but i want it to display in %. Say if McAfee is using 75% of CPU, i should be able to see on Dashboard McAfee under Instance and 75% under CPU Time by Host

Hope it clarifies.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...