Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need CPU and Memory peak utilization of multiple VM's

bhanue
New Member
‎01-26-2020 03:22 AM

Hi All,
I am very new to Splunk.

My organisation uses Splunk for all infra monitoring, I am trying to get the "Peak CPU average" (or) the highest CPU hit per instance in last 24 hours of all my Azure VM's (it's Windows and Linux combo).

I am able to get average average using bellow query, but I need peak average - Can you please help.

host=AZR* index="perfmon" source="Perfmon:CPU" counter="% Processor Time" | stats avg(Value) as avgcpu by host

host=AZR* index="perfmon" source="Perfmon:Memory" counter="% Committed Bytes In Use" | stats avg(Value) as AvgMemory by host

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-26-2020 03:31 AM

There are several ways to do this - use |stats max(Value) for the highest value across your result set
If you want the peak average value, you can use your existing search, and just massage the results a bit with something like

...| stats avg(Value) as avgcpu by host|sort - avgcpu|head 1

If you wanted to use the stats function again, you could instead do:

...| stats avg(Value) as avgcpu by host|stats max(avgcpu) as maxAvgCpu by host

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-26-2020 03:31 AM

There are several ways to do this - use |stats max(Value) for the highest value across your result set
If you want the peak average value, you can use your existing search, and just massage the results a bit with something like

...| stats avg(Value) as avgcpu by host|sort - avgcpu|head 1

If you wanted to use the stats function again, you could instead do:

...| stats avg(Value) as avgcpu by host|stats max(avgcpu) as maxAvgCpu by host

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Top