Splunk Search

How to create a report showing percentage CPU usage for multiple servers?

idab
Path Finder

Hi guys,

I'm trying to create a bar chart that shows the min, avg, and max for five specific servers. The chart shows the whenever a server cpu/processor time crosses the threshold of 75 percent.?

I have an existing search I created below, but not coming along as planned.

(index =perfmon collection="*" Host="DS-*") index=perfmon counter="*" collection="*" Host!="ds-08"  Host!="ds-07"  Host!="DS-ME"  Host!="ds-mes" counter="*"  counter="% Processor Time" | bucket _time span=1m    avg(Value) AS AVG  min(Value) AS MIN max(Value) AS MAX by host | sort -host | eval AVG=round(AVG,2)   | eval MIN=round(MIN,2)   | eval MAX=round(MAX,2)

somesoni2
Revered Legend

Give this a try

(index =perfmon collection="*" Host="DS-*") index=perfmon counter="*" collection="*" Host!="ds-08"  Host!="ds-07"  Host!="DS-ME"  Host!="ds-mes" counter="*"  counter="% Processor Time" | bucket _time span=1m    | stats avg(Value) AS AVG  min(Value) AS MIN max(Value) AS MAX by host | sort -host | eval AVG=round(AVG,2)   | eval MIN=round(MIN,2)   | eval MAX=round(MAX,2) | where AVG>=75 OR MIN>=75 OR MAX>=75
0 Karma

idab
Path Finder

hi somesoni2,
Appreciate the feedback.Quick question:
Is there a way to show the raw values between the specified time span of 1m using the same search?

0 Karma

somesoni2
Revered Legend

How frequently you're perfmon input runs? If it runs every 60, they Avg, min or max will give raw values only.

0 Karma

idab
Path Finder

Hi somesoni2,
Thanks for the feedback.
Regarding your question "How frequently do you perfmon input runs?" - Not sure .I'm newbie on Splunk.Can you point me in the right direction to find that information?

0 Karma

PGrantham
Path Finder

It looks like you're missing a | stats/chart after the | bucket _time span=1m

Not sure if that was just a copy-paste error, but if not that would definitely cause a failure. 🙂

Also, I'm not sure I completely understand your question. Is the problem you're having that you aren't getting a chart as you would expect or is it that the chart is including cpu/processor times prior to crossing the 75% threshold or something else?

0 Karma

idab
Path Finder

hi somesoni2,

Thanks for the feedback.
Yes, as you asked : not getting the chart I want- The picture I have below is my thoughts.Hopefully, I don't need d3 to do this. 🙂

http://answers.splunk.com/storage/temp/56223-idea.jpg

0 Karma

PGrantham
Path Finder

It sounds like you're wanting to use the "Marker Gauge" visualization.

Once you've run your search, try selecting the "Visualization" tab then selecting the far left dropdown underneath the tab. Choose "Marker Gauge", then select the "Format" dropdown, select "Color Ranges", then "Manual". There you should be able to adjust the thresholds however you like.

Depending on your Splunk version you should be able to create the same visualization on a dashboard panel.

0 Karma

idab
Path Finder

Hi PGrantham,

The Marker Gauge might be an option but just wondering how you would display the cpu time for each server with the data?

https://answers.splunk.com/storage/temp/56224-marker-gauge.jpg

0 Karma

idab
Path Finder
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...