Re: Windows TA PerfmonMk:CPU

Aresndiz · ‎12-11-2024

I'm working with the Windows TA for Splunk, however the metrics it obtains for CPU are not correct. On my server, nothing similar is reflected. The same thing happens to me when consulting the RAM. Is there any other way to consume the CPU or RAM usage? What other alternative would be the solution to make them match with my server data?

bowesmana · ‎12-11-2024

@Aresndiz The data in Splunk is the data being sent by that machine. What tells you that the data in Splunk is not the same as the data on the server? Splunk wil not change the data coming from your server.

I note that the table and the event list do not appear to have the same information, e.g. CPU instance 13 has a reading of 9.32 in your table, yet that number does not match any of the event data you show. Is this what you mean?

CPU measurements are sometimes difficult to compare - in your example, you show data from a 16 core CPU with individual cores ranging from 7 to 60% and a total of 15%. What is the sampling rate of your readings being sent to Splunk, as that reading represents the average value since the previous reading.

If you use a different sampling interval when looking at data on your server you may well see different values, so you need to be comparing like with like.

Windows TA PerfmonMk:CPU

data

Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation