This probably has been asked many many times but there is still not a good answer out there.i simply want to use forwarder to collect data from my servers and send it to splunk and get a basic cpu memory usage.i am using wmi and my first challenge is what my config file would be.i have something like this which i found it on the net but not sure what is what exactly
[WMI:process]
disabled = 0
interval = 30
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process
index = pa
my question is,what should use in wql to pull the data and once i have he config file what would my search would be?
inputs.conf
[WMI:LocalMainMemory]
interval = <Interval_Time>
wql = select CommittedBytes, AvailableBytes, PercentCommittedBytesInUse, Caption from \
Win32_PerfFormattedData_PerfOS_Memory
disabled = 0
index = <IndexName>
[WMI:process]
index = <IndexName>
disabled = 0
interval = <Interval_Time>
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process
Search Query:
index=<INdexName> sourcetype="WMI:process" Name!=_Total Name!=Idle
You can try this:
index=<INdexName> sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart limit=50 useother=f avg(cputime) by Name
Hello Ansif,
I have an idea which would be helpful for you.
I know its too late answer.
Please find the below query which would list the processes list consuming more than certain amount of memory,
index="wmi_perfmon" source="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| stats avg(cputime) as CPU_Time by Name
| where CPU_Time > 10
Thank you
inputs.conf
[WMI:LocalMainMemory]
interval = <Interval_Time>
wql = select CommittedBytes, AvailableBytes, PercentCommittedBytesInUse, Caption from \
Win32_PerfFormattedData_PerfOS_Memory
disabled = 0
index = <IndexName>
[WMI:process]
index = <IndexName>
disabled = 0
interval = <Interval_Time>
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process
Search Query:
index=<INdexName> sourcetype="WMI:process" Name!=_Total Name!=Idle
You can try this:
index=<INdexName> sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart limit=50 useother=f avg(cputime) by Name
Ansif,
i apologize for the late response.i implemented your query and it seems to be working.i just changed the last bit to get a timechart by host.my question is these numbers don't make sense to me.i woudl like to get something in percentage if possible can you help with the?
sourcetype="WMI:CPU" index=main sourcetype="WMI:CPU" Name!=_Total Name!=Idle Name!=_Total Name!=Idle
| streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart span=10m avg(cputime) by host
Can you share your current values and expected values?
Ansif,
here are the results,as i said it before i want to get the avg cpu by host.i will add the images.these numbers are huge.i want to get something like cpu is at 20% or 5%.
inputs.conf
## Processes
[WMI:LocalProcesses]
interval = 30
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
index = windows
disabled =0
Search:
sourcetype=WMI:LocalProcesses
Ansif,
First of all ,thank you for taking the time to trying to help me out and i apologize in advance if i am not making this easy for you.
i added the stanza to my wmi and getting the data but don't think it is giving me the correct data or i might be using the wrong query.is the "percentprocessortime" field what i am going to use?if that is,then why do i need "privatebytes"?
so this is what i am searching
index=5sv sourcetype="WMI:LocalProcesses" host=ap5sv Name!=_Total Name!=Idle Name!=_Total Name!=Idle|search PercentProcessorTime > 0|timechart span=4h eval(round(avg(PercentProcessorTime),0)) by host
i actually tried running this in realtime and going into the host machine at the same time and running some processes.numbers are close,but not sure if they are accurate.
can you tell me if this is correct?Thanks for all the help