Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to display top 10 CPU intensive windows processes using Splunk Dashboard

rahulsaxena015
New Member
‎12-12-2017 03:17 AM

Hi Team,

I am developing a dashboard that will list Windows Processes that are CPU intensive. My query looks like below:

index=platform_connect_os earliest=-5m host=host* source="Perfmon:Process" counter="% Processor Time" (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as "CPU Time by Host" by host ,instance| sort 0 -host,-AvgValue | streamstats count as sno by host | where sno>4 | fields - sno

I am getting the below output:
alt text

Can someone confirm whether the results are correct or not? What is the unit of CPU Time by Host. I can't understand these numbers. Basically i want to display something like below:
alt text

I want to list process followed by CPU in human readable format in Splunk dashboard.

Please help.

Thanks,
Rahul

Tags (1)
Preview file
18 KB
Preview file
12 KB
0 Karma
Reply

rahulsaxena015
New Member
‎12-13-2017 03:38 AM

Based on your suggestions i added wmi.conf file and executed below query:

index=windows host=host* sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| stats avg(cputime) as cputime by _time,host,Name
| rex field=Name "(?[^#]*)#{0,}"
| stats sum(cputime) as cputime by _time,host,Command
| timechart limit=50 useother=f avg(cputime) as cputime by Command

This query returns an error: "Error in 'rex' command: Encountered the following error while compiling the regex '(?[^#]*)#{0,}': Regex: unrecognized character after (? or (?- "

I am not sure where in regex it is failing. Can you help please?

At the same time if i execute the following query, it works without any problem:

index=windows hosts=host* sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart limit=50 useother=f avg(cputime) by Name

0 Karma
Reply

adonio
Ultra Champion
‎12-12-2017 08:03 AM

hello there,

you are on the right track, leveraging the right values and fields.
can you elaborate on what is it exactly you would like to accomplish? its hard for me to understand if you would like to see cpu by a single host? across hosts? per process?
worthwhile to pay attention to your perfmon counter pull interval, check in inputs.conf.
lastly, many articles about your use case, start here:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorWindowsperformance
describes some caveats on this particular counter (roll almost all the way down)
and more articles and answers:
https://answers.splunk.com/answers/122302/how-to-get-a-good-measure-of-load-or-cpu-utilization-in-wi...
https://www.octamis.com/octamis-blog/windows-performance-monitoring-tips-with-splunk/
there are plenty more out there

hope it helps

0 Karma
Reply

rahulsaxena015
New Member
‎12-12-2017 08:33 PM

Thanks for your response. I want to list processes that are consuming CPU when CPU usage goes to >=70%.

Eg. Say if McAfee is utilizing max CPU usage i should be able to see that in my dashboard.

My current query results CPU Time as 21.2222 but i want it to display in %. Say if McAfee is using 75% of CPU, i should be able to see on Dashboard McAfee under Instance and 75% under CPU Time by Host

Hope it clarifies.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...