Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Getting "top 3" (Windows) processes, sorted by CPU usage, when CPU usage goes over xx%

so_edv1
New Member
‎03-08-2019 12:51 AM

Hello everyone,

Pretty new to Splunk and, to be honest, I'm going under in work so I don't have time to work myself in a lot 😕 and so I hoped someone could help me with something, I somehow couldn't find some solution for..

We. I. want to monitor our VDA Servers and get informed / an e-mail once the CPU usage goes over a certain amount. Let's say 70%.

This shouldn't happen. But of course sometimes it does. And we want to know through which process.

So we basically want to get a short e-mail.

"Hey. CPU load on X is over the limit.

Here are the top 3 processes, sorted by CPU load produced:

  • MS Teams - 30%
  • Chrome - 25%
  • Outlook 20%

"

Is there a pre-made solution someone knows? Or a powershell script?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2019 06:00 AM

First, you must have performance data from your VDA servers indexed in Splunk. You can use a universal forwarder to send perfmon:CPU events to do that.

[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
interval = 60
disabled = 0

Once you have the data, it's easy to craft a search that runs every few minutes to look for servers with high CPU utilization. 

index=windows | stats sum('% Processor Time') as PctCPU | where PctCPU > 70

See https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/MonitorWindowsperformance for details.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2019 06:00 AM

First, you must have performance data from your VDA servers indexed in Splunk. You can use a universal forwarder to send perfmon:CPU events to do that.

[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
interval = 60
disabled = 0

Once you have the data, it's easy to craft a search that runs every few minutes to look for servers with high CPU utilization. 

index=windows | stats sum('% Processor Time') as PctCPU | where PctCPU > 70

See https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/MonitorWindowsperformance for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

so_edv1
New Member
‎03-10-2019 11:51 PM

Sorry for the late reply, hope everyone had a nice weekend 🙂

Going to try this out.

Thank you.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...