Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- CPU Utilization Query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CPU Utilization Query
I am using this query to Fetch CPU Utilization details
index=os sourcetype="cpu" | multikv forceheader=1 | eval human_readable_time=strftime(_time, "%Y-%d-%m %H:%M:%S") | eval percentageCPUUtil = 100 - pctIdle | table human_readable_time,host,percentageCPUUtil,pctIdle
But for particular time and for the same host , we are getting multiple rows, Below is the ouput
human_readable_time,host,percentageCPUUtil,pctIdle
2012-19-03 03:44:58,edb1crsapppex45,2.16,97.84
2012-19-03 03:44:58,edb1crsapppex45,1.00,99.00
2012-19-03 03:44:58,edb1crsapppex45,0.99,99.01
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,5.94,94.06
2012-19-03 03:44:58,edb1crsapppex45,2.00,98.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,1.98,98.02
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,3.00,97.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,9.00,91.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,28.00,72.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
2012-19-03 03:44:58,edb1crsapppex45,0.00,100.00
If we notice the output, for the same time and same host, we are getting multiple Rows. So which row should be assume is the Percentage CPU Utilization.
But if we add | search CPU=all | in the query, then output we are getting is fine.
Kindly Suggest.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use Monitoring Console builtin since Splunk 6.5. It is a great feature.
https://docs.splunk.com/Documentation/Splunk/7.0.0/DMC/DMCoverview
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably your host has a multicore CPU or several CPUs so in this case you have utilization for each core. Like a solution you can add core number to output and calculate utilization for each core or calculate average value of all rows or use just CPU=all
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
