Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with High CPU Report using data points

coldwolf7
Explorer
‎08-23-2022 01:09 PM

Hello,

I have a report I have having issues with. It is for CPU Usage on laptops.  I have tried the Stats perc() and the stats avg(). I get a lot of false positives, for insistence if a laptop get powered on for a couple of hours , there would be 8 data points, since the default is pull CPU usage every 15 mins.  So 4 of the data points could be high CPU usage but that is explained but the bootup, patching and other scripts running. What we care about is  is consistent CPU usage. SO we are monitoring the data points and for every data point that goes over 70% CPU then add one to the count Then over a week a we only want to see per machine when have more then 70 data point going over 70%. The change I am having is also want to get total count of data points as well. so we can take the total data points and compare it to the High CPU Data points and get a  percentage of High Processor time

 

So this is the code I have and it works at telling me the data point over 70%. but when ever I try and play around with al adding a over all total I can not get it to work

index=wss_desktop_perfmon sourcetype="wks:Perf_Processor" %_Processor_Time > 69
| stats count as CPULoad avg(%_Processor_Time) as %_Processor_Time by host
| lookup local=true PrimaryUsers.csv host AS host OUTPUT host DeviceType FullName Location Address Model OSVer TotalPhysicalMemoryKB Email PrimaryUser Supervisor "Supervisor Email"
| search Location IN ("GA1*", "GA7*", "GA9*") 
| where CPULoad > 70
| rename CPULoad as "High CPU DataPoint"
Host High CPU DataPoint %_Processor_Time
Computer1 97 78.54106664

 

Now would like to add in a total count of data points from %_Processor_Time 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 04:02 PM

If you're looking to count ALL data points, then you'll need to remove the >69 filter in the first search.

Try this

index=wss_desktop_perfmon sourcetype="wks:Perf_Processor" 
| stats count as totalDataPoints count(eval('%_Processor_Time' > 69))  as CPULoad avg(eval(if('%_Processor_Time'>69,'_Processor_Time', null()))) as %_Processor_Time by host

for the first two lines. What this does is

  • Include all data in initial search
  • stats statement then does a count for all data points per host and a separate count for processor time > 69 and finally the average processor time is only averaged if the CPU is >69 again.

Then when you have finished that stats, you have an extra field 'totalDataPoints' for each host as well as the original fields.

View solution in original post

Reply
Solved! Jump to solution

coldwolf7
Explorer
‎08-24-2022 04:50 AM

This worked great, there was just one minor update I had to do. I added the % on the second _processor_time

avg(eval(if('%_Processor_Time'>69,'%_Processor_Time', null())))

 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-24-2022 04:48 PM

Ooops - my bad - well spotted 😀 - glad it worked

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 04:02 PM

If you're looking to count ALL data points, then you'll need to remove the >69 filter in the first search.

Try this

index=wss_desktop_perfmon sourcetype="wks:Perf_Processor" 
| stats count as totalDataPoints count(eval('%_Processor_Time' > 69))  as CPULoad avg(eval(if('%_Processor_Time'>69,'_Processor_Time', null()))) as %_Processor_Time by host

for the first two lines. What this does is

  • Include all data in initial search
  • stats statement then does a count for all data points per host and a separate count for processor time > 69 and finally the average processor time is only averaged if the CPU is >69 again.

Then when you have finished that stats, you have an extra field 'totalDataPoints' for each host as well as the original fields.

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...