Splunk Search

A value remains for a length of time

troyhochsprung
New Member

I am looking for a search that returns an events(s) when the searched value remains for a set length of time. Using Windows performance monitoring searches I am searching for CPU "Peak" values but would like to add a time condition for length.

Example: 

eventtype="perfmon_windows" (Host="hostname") object="Processor" counter="% Processor Time" instance="*" | stats sparkline(avg(Value)) as Trend avg(Value) as Average, max(Value) as Peak, latest(Value) as Current, latest(_time) as "Last Updated" by Host | convert ctime("Last Updated") | sort - Current | eval Average=round(Average, 2) | eval Peak=round(Peak, 2) | eval Current=round(Current, 2) | where Peak>85 

Right now that search works very well but if I get a quick spike of CPU it will go off. I would like to add something like when the CPU hits that Peak of 85 for something like 5 minutes or more. 

Labels (1)
0 Karma

troyhochsprung
New Member

Spikes can be somewhat common so really would like to see the Peak value that is set hold that level for a set time like 5 minutes to be creating the event

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Change your stats so that you check every minute, then use autoregress to capture the previous 4 values, then Eval if all 5 values are above your threshold

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could use autoregress and count the number of times you have had spikes in the last X periods

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...