Monitoring Splunk
Highlighted

help for monitoring a CPU abnormally charge following lasting conditions

Contributor

hi

I use the search below in order to monitore the processes which use more than 80% of CPU

index="TUTU" sourcetype="perfmonmk:process" 
| where process_cpu_used_percent>80 

But I want to monitore only the processes > 80% of CPU which last at least one minutes or more and to display it in a timechart
could you help me please??
thanks

Labels (1)
Highlighted

Re: help for monitoring a CPU abnormally charge following lasting conditions

Motivator

Hey@jip31,

Can you try using avg(processcpuused_percent) and use bin _time span=1m and then try using where.
Let me know if this helps!!

0 Karma
Highlighted

Re: help for monitoring a CPU abnormally charge following lasting conditions

Contributor

hi
thanks
i have done this but i dont understand how to use bintime?
I would also like to have only the last 10 events
index="test" sourcetype="perfmonmk:process"
| timechart span=1m avg(process
cpuusedpercent) as processcpuusedpercent by host where processcpuusedpercent>80 limit=10
could you help me pelase??

0 Karma
Highlighted

Re: help for monitoring a CPU abnormally charge following lasting conditions

SplunkTrust
SplunkTrust

Hi @jip31,

Nice index name ^^

This query is correct :

index="TUTU" sourcetype="perfmonmk:process" 
| timechart span=1m avg(process_cpu_used_percent) as process_cpu_used_percent by host where process_cpu_used_percent>80 limit=10

If you want to use bucket you can use it like this :

 index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time | head 10

Cheers,
David

View solution in original post

0 Karma
Highlighted

Re: help for monitoring a CPU abnormally charge following lasting conditions

Contributor

hi david

when I add bin time J have the message : the specifier bintime is invalid. It must be in form (). For example : max(size)
and I want to display ten events (host) in my timechart but only the last 10 events (host)
with head 10 i have ten events but not the last.....

0 Karma
Highlighted

Re: help for monitoring a CPU abnormally charge following lasting conditions

SplunkTrust
SplunkTrust

ohhhh, sorry! hahah it's actually bucket 😄

 index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time | head 10

as for the last 10 you can use reverse :

index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time|reverse | head 10
0 Karma
Highlighted

Re: help for monitoring a CPU abnormally charge following lasting conditions

Contributor

thanks david
last question
my final search is :

index="tutu" sourcetype="perfmonmk:process" 
| where process_cpu_used_percent>80 
| bucket _time span=1m 
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time 
| eval process_cpu_used_percent =round(process_cpu_used_percent, 1)." %" 
| table _time host process_cpu_used_percent 
| dedup host 
| reverse 
| head 10

do you think its correct??

0 Karma
Highlighted

Re: help for monitoring a CPU abnormally charge following lasting conditions

SplunkTrust
SplunkTrust

Looks good !

But I think you want to use your 80% filter after the stats that way it gets applied on the average, this should do :

 index="tutu" sourcetype="perfmonmk:process" 
 | bucket _time span=1m 
 | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time 
 | where process_cpu_used_percent>80 
 | eval process_cpu_used_percent =round(process_cpu_used_percent, 1)." %" 
 | dedup host 
 | reverse 
 | head 10
0 Karma
Highlighted

Re: help for monitoring a CPU abnormally charge following lasting conditions

SplunkTrust
SplunkTrust

please upvote comments and accept answer if it was helpful ❤️

0 Karma