Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with High CPU Report using data points

coldwolf7
Explorer
‎08-23-2022 01:09 PM

Hello,

I have a report I have having issues with. It is for CPU Usage on laptops.  I have tried the Stats perc() and the stats avg(). I get a lot of false positives, for insistence if a laptop get powered on for a couple of hours , there would be 8 data points, since the default is pull CPU usage every 15 mins.  So 4 of the data points could be high CPU usage but that is explained but the bootup, patching and other scripts running. What we care about is  is consistent CPU usage. SO we are monitoring the data points and for every data point that goes over 70% CPU then add one to the count Then over a week a we only want to see per machine when have more then 70 data point going over 70%. The change I am having is also want to get total count of data points as well. so we can take the total data points and compare it to the High CPU Data points and get a  percentage of High Processor time

 

So this is the code I have and it works at telling me the data point over 70%. but when ever I try and play around with al adding a over all total I can not get it to work

index=wss_desktop_perfmon sourcetype="wks:Perf_Processor" %_Processor_Time > 69
| stats count as CPULoad avg(%_Processor_Time) as %_Processor_Time by host
| lookup local=true PrimaryUsers.csv host AS host OUTPUT host DeviceType FullName Location Address Model OSVer TotalPhysicalMemoryKB Email PrimaryUser Supervisor "Supervisor Email"
| search Location IN ("GA1*", "GA7*", "GA9*") 
| where CPULoad > 70
| rename CPULoad as "High CPU DataPoint"
Host High CPU DataPoint %_Processor_Time
Computer1 97 78.54106664

 

Now would like to add in a total count of data points from %_Processor_Time 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 04:02 PM

If you're looking to count ALL data points, then you'll need to remove the >69 filter in the first search.

Try this

index=wss_desktop_perfmon sourcetype="wks:Perf_Processor" 
| stats count as totalDataPoints count(eval('%_Processor_Time' > 69))  as CPULoad avg(eval(if('%_Processor_Time'>69,'_Processor_Time', null()))) as %_Processor_Time by host

for the first two lines. What this does is

  • Include all data in initial search
  • stats statement then does a count for all data points per host and a separate count for processor time > 69 and finally the average processor time is only averaged if the CPU is >69 again.

Then when you have finished that stats, you have an extra field 'totalDataPoints' for each host as well as the original fields.

View solution in original post

Reply
Solved! Jump to solution

coldwolf7
Explorer
‎08-24-2022 04:50 AM

This worked great, there was just one minor update I had to do. I added the % on the second _processor_time

avg(eval(if('%_Processor_Time'>69,'%_Processor_Time', null())))

 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-24-2022 04:48 PM

Ooops - my bad - well spotted 😀 - glad it worked

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 04:02 PM

If you're looking to count ALL data points, then you'll need to remove the >69 filter in the first search.

Try this

index=wss_desktop_perfmon sourcetype="wks:Perf_Processor" 
| stats count as totalDataPoints count(eval('%_Processor_Time' > 69))  as CPULoad avg(eval(if('%_Processor_Time'>69,'_Processor_Time', null()))) as %_Processor_Time by host

for the first two lines. What this does is

  • Include all data in initial search
  • stats statement then does a count for all data points per host and a separate count for processor time > 69 and finally the average processor time is only averaged if the CPU is >69 again.

Then when you have finished that stats, you have an extra field 'totalDataPoints' for each host as well as the original fields.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...