Getting Data In

Cpu and memory usage

carlyleadmin
Contributor

This probably has been asked many many times but there is still not a good answer out there.i simply want to use forwarder to collect data from my servers and send it to splunk and get a basic cpu memory usage.i am using wmi and my first challenge is what my config file would be.i have something like this which i found it on the net but not sure what is what exactly

[WMI:process]
disabled = 0
interval = 30
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process
index = pa

my question is,what should use in wql to pull the data and once i have he config file what would my search would be?

Tags (1)
0 Karma
1 Solution

ansif
Motivator

inputs.conf

[WMI:LocalMainMemory]
interval = <Interval_Time>
wql = select CommittedBytes, AvailableBytes, PercentCommittedBytesInUse, Caption from \
 Win32_PerfFormattedData_PerfOS_Memory
disabled = 0
index = <IndexName>

[WMI:process]
index = <IndexName>
disabled = 0
interval = <Interval_Time>
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process

Search Query:

index=<INdexName> sourcetype="WMI:process" Name!=_Total Name!=Idle

You can try this:

index=<INdexName> sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart limit=50 useother=f avg(cputime) by Name

View solution in original post

0 Karma

Nvijay92
Explorer

Hello Ansif,

I have an idea which would be helpful for you.

I know its too late answer.

Please find the below query which would list the processes list consuming more than certain amount of memory,

index="wmi_perfmon" source="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| stats avg(cputime) as CPU_Time by Name
| where CPU_Time > 10

Thank you

0 Karma

carlyleadmin
Contributor

Ansif,
instead of getting by all the processors i need just one number for everything so that's why i did by host,but not sure if that number is right or what it means alt text

0 Karma

carlyleadmin
Contributor

alt text

0 Karma

carlyleadmin
Contributor

alt text

0 Karma

ansif
Motivator

inputs.conf

[WMI:LocalMainMemory]
interval = <Interval_Time>
wql = select CommittedBytes, AvailableBytes, PercentCommittedBytesInUse, Caption from \
 Win32_PerfFormattedData_PerfOS_Memory
disabled = 0
index = <IndexName>

[WMI:process]
index = <IndexName>
disabled = 0
interval = <Interval_Time>
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process

Search Query:

index=<INdexName> sourcetype="WMI:process" Name!=_Total Name!=Idle

You can try this:

index=<INdexName> sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart limit=50 useother=f avg(cputime) by Name
0 Karma

carlyleadmin
Contributor

Ansif,

i apologize for the late response.i implemented your query and it seems to be working.i just changed the last bit to get a timechart by host.my question is these numbers don't make sense to me.i woudl like to get something in percentage if possible can you help with the?

sourcetype="WMI:CPU" index=main sourcetype="WMI:CPU" Name!=_Total Name!=Idle Name!=_Total Name!=Idle
| streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart span=10m avg(cputime) by host

0 Karma

ansif
Motivator

Can you share your current values and expected values?

0 Karma

carlyleadmin
Contributor

Ansif,

here are the results,as i said it before i want to get the avg cpu by host.i will add the images.these numbers are huge.i want to get something like cpu is at 20% or 5%.

0 Karma

ansif
Motivator

inputs.conf

## Processes
[WMI:LocalProcesses]
interval = 30
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
index = windows
disabled =0

Search:

sourcetype=WMI:LocalProcesses

0 Karma

carlyleadmin
Contributor

Ansif,

First of all ,thank you for taking the time to trying to help me out and i apologize in advance if i am not making this easy for you.
i added the stanza to my wmi and getting the data but don't think it is giving me the correct data or i might be using the wrong query.is the "percentprocessortime" field what i am going to use?if that is,then why do i need "privatebytes"?

so this is what i am searching

index=5sv sourcetype="WMI:LocalProcesses" host=ap5sv Name!=_Total Name!=Idle Name!=_Total Name!=Idle|search PercentProcessorTime > 0|timechart span=4h eval(round(avg(PercentProcessorTime),0)) by host

i actually tried running this in realtime and going into the host machine at the same time and running some processes.numbers are close,but not sure if they are accurate.

can you tell me if this is correct?Thanks for all the help

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...