- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- help on bucket time using
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
in the query below, I monitore events where the cpu used is > 80%
But I want to monitore only events where the cpu used > 80% last 10 minutes
could you confirm that bucket _time span=10m is doing that?
`CPU` earliest=-30d latest=now
| bucket _time span=10m
| where process_cpu_used_percent>80
| timechart avg(process_cpu_used_percent) as process_cpu_used_percent by host limit=10 useother=false
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
Using | bucket _time span=10m will group events based the time field with a 10 min span. It adds no logic to process_cpu_used_percent so it won't make sense to use process_cpu_used_percent>80 right after the bucket command.
You could do as follows in order to fix the results:
`CPU` earliest=-30d latest=now
| bucket _time span=10m
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time
| where process_cpu_used_percent>80
| timechart avg(process_cpu_used_percent) as process_cpu_used_percent by host limit=10 useother=false
Let me know if that helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31 :
using span=10 will not work as it accumulates all the events falling in the timefame spefied into 1 event
If you want to restrict the search to last 10 minutes us can use the below
CPU earliest=-10m@m latest=now process_cpu_used_percent>80
| timechart limit=10 useother=false span=10m avg(process_cpu_used_percent) as process_cpu_used_percent by host
Span - will give you output in 10 minutes blocks
limit = will restrict your output to 10.
I would suggest you remove limits as that might truncate your results, if more than 10 hosts go over 80% in the last 10 minutes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
Using | bucket _time span=10m will group events based the time field with a 10 min span. It adds no logic to process_cpu_used_percent so it won't make sense to use process_cpu_used_percent>80 right after the bucket command.
You could do as follows in order to fix the results:
`CPU` earliest=-30d latest=now
| bucket _time span=10m
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time
| where process_cpu_used_percent>80
| timechart avg(process_cpu_used_percent) as process_cpu_used_percent by host limit=10 useother=false
Let me know if that helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
There is something wrong...
I have any results....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what does this give you ?
`CPU` earliest=-30d latest=now
| bucket _time span=10m
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time
| where process_cpu_used_percent>80
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it gives no results...
I have results if I put where before stats
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh... so im guessing in the 10 min interval nothing averages to more than 80... Try max instead of avg and see what it gives.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes it works now
but.... i need an average on this events
pearharps by using another stats?
like this david??
`CPU` earliest=-30d latest=now
| bucket _time span=10m
| stats max(process_cpu_used_percent) as process_cpu_used_percent by host,_time
| where process_cpu_used_percent>80
| timechart avg(process_cpu_used_percent) as process_cpu_used_percent by host limit=10 useother=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes exactly, i advise you to use perc90 instead of max for the first stats, since max can simply be a peek and not a real indicator of high load.
Your whole search would look like this :
`CPU` earliest=-30d latest=now
| bucket _time span=10m
| stats perc90(process_cpu_used_percent) as process_cpu_used_percent by host,_time
| where process_cpu_used_percent>80
| timechart avg(process_cpu_used_percent) as process_cpu_used_percent by host limit=10 useother=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK many thanks
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
