Re: Windows TA PerfmonMk:CPU

Aresndiz

I'm working with the Windows TA for Splunk, however the metrics it obtains for CPU are not correct. On my server, nothing similar is reflected. The same thing happens to me when consulting the RAM. Is there any other way to consume the CPU or RAM usage? What other alternative would be the solution to make them match with my server data?

bowesmana

@Aresndiz The data in Splunk is the data being sent by that machine. What tells you that the data in Splunk is not the same as the data on the server? Splunk wil not change the data coming from your server.

I note that the table and the event list do not appear to have the same information, e.g. CPU instance 13 has a reading of 9.32 in your table, yet that number does not match any of the event data you show. Is this what you mean?

CPU measurements are sometimes difficult to compare - in your example, you show data from a 16 core CPU with individual cores ranging from 7 to 60% and a total of 15%. What is the sampling rate of your readings being sent to Splunk, as that reading represents the average value since the previous reading.

If you use a different sampling interval when looking at data on your server you may well see different values, so you need to be comparing like with like.

Windows TA PerfmonMk:CPU

data

Windows

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?