hi
I use the search below in order to monitore the processes which use more than 80% of CPU
index="TUTU" sourcetype="perfmonmk:process"
| where process_cpu_used_percent>80
But I want to monitore only the processes > 80% of CPU which last at least one minutes or more and to display it in a timechart
could you help me please??
thanks
Hi @jip31,
Nice index name ^^
This query is correct :
index="TUTU" sourcetype="perfmonmk:process"
| timechart span=1m avg(process_cpu_used_percent) as process_cpu_used_percent by host where process_cpu_used_percent>80 limit=10
If you want to use bucket
you can use it like this :
index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time | head 10
Cheers,
David
Hi @jip31,
Nice index name ^^
This query is correct :
index="TUTU" sourcetype="perfmonmk:process"
| timechart span=1m avg(process_cpu_used_percent) as process_cpu_used_percent by host where process_cpu_used_percent>80 limit=10
If you want to use bucket
you can use it like this :
index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time | head 10
Cheers,
David
hi david
when I add bin _time J have the message : the specifier bin_time is invalid. It must be in form (). For example : max(size)
and I want to display ten events (host) in my timechart but only the last 10 events (host)
with head 10 i have ten events but not the last.....
ohhhh, sorry! hahah it's actually bucket
😄
index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time | head 10
as for the last 10 you can use reverse
:
index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time|reverse | head 10
thanks david
last question
my final search is :
index="tutu" sourcetype="perfmonmk:process"
| where process_cpu_used_percent>80
| bucket _time span=1m
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time
| eval process_cpu_used_percent =round(process_cpu_used_percent, 1)." %"
| table _time host process_cpu_used_percent
| dedup host
| reverse
| head 10
do you think its correct??
Looks good !
But I think you want to use your 80% filter after the stats that way it gets applied on the average, this should do :
index="tutu" sourcetype="perfmonmk:process"
| bucket _time span=1m
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time
| where process_cpu_used_percent>80
| eval process_cpu_used_percent =round(process_cpu_used_percent, 1)." %"
| dedup host
| reverse
| head 10
please upvote comments and accept answer if it was helpful ❤️
Hey@jip31,
Can you try using avg(process_cpu_used_percent) and use bin _time span=1m and then try using where.
Let me know if this helps!!
hi
thanks
i have done this but i dont understand how to use bin_time?
I would also like to have only the last 10 events
index="test" sourcetype="perfmonmk:process"
| timechart span=1m avg(process_cpu_used_percent) as process_cpu_used_percent by host where process_cpu_used_percent>80 limit=10
could you help me pelase??