Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Exposing sustained CPU and Memory spike in Perfmon data

babecassisgenet
New Member
‎03-29-2017 07:16 AM

Hey guys - today, I have a simple query that returns hosts that have hit a max of 75% CPU or memory usage over a given time. This works great; however, I would like to change this so that the host only appears if it breached that 75% limit for several minutes.. How would I do that?

Thanks

source="perfmon:CPU" OR source="perfmon:memory" counter="% Processor Time" OR counter="% Committed Bytes In Use" Value>75 | chart Max(Value) by host counter |rename "% Committed Bytes In Use" as "Memory Usage", "% Processor Time" as "CPU Usage"

0 Karma
Reply

beatus
Communicator
‎03-29-2017 05:17 PM

Streamstats (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats) is your friend here.

source="perfmon:CPU" OR source="perfmon:memory" counter="% Processor Time" OR counter="% Committed Bytes In Use" | streamstats min(_time) AS startTime, max(_time) AS endTime reset_before="(Value<75)" by host| eval timeSpan = endTime-startTime | search timeSpan>300

What we're doing here is taking the first appearance of an event over 75% and continuing to group subsequent events together until the CPU usage is less than 75%. At that point, we reset the start and end times. The eval then creates a timeSpan, so how long we were over 75% usage. Finally, the search then gives us our threshold, in this case 5 minutes (300 seconds).

Reply

adonio
Ultra Champion
‎03-29-2017 09:01 AM

maybe try the bin span=10m _time
you can set the span to your preference and then use timechart command. something like this:
index = perfmon source="perfmon:CPU" OR source="perfmon:memory" counter="% Processor Time" OR counter="% Committed Bytes In Use" Value>75 | bin span=5m _time | timechart max(Value) by host
hope it helps

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...