Hi Experts,
I know that we have Splunk App for Windows Infrastructure but I am not using this app. For CPU and Processes, I am using following in wmi.conf:
CPU
[WMI:CPUTime]
interval = 03
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
index = abc
disabled = 0
Result
PercentProcessorTime=10
PercentUserTime=4
wmi_type=CPUTime
Question :- Am I calculating correctly the avg CPU time over time?
index=abc source="WMI:CPUTime" |eval overallCPU=PercentProcessorTime+PercentUserTime| timechart avg(overallCPU) AS CPU_Utilization
Processes
[WMI:LocalProcesses]
interval = 30
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
index = abc
disabled = 0
Question :- I want to show a table that contains host name, Process name, and CPU_utilization and this table only shows those processes which are consuming more that 50% CPU. Please help me to create this search. The problem I am facing is when creating a sub search, so idea is to get CPU>=50 and corresponding processes.
Regards
VG
For the value of total processor utilization systemwide, use the Processor(_Total)\% Processor Time counter.
For the value of total processor utilization systemwide, use the Processor(_Total)\% Processor Time counter.
For second question just add this to your search
| where PercentProcessorTime>=50
In other words don't combine percent processor time with percent user time. Just use percent processor time.
I get it thanks man you are awesome.