Splunk Search

How to generate alarm for when CPU peaks at100% over a 15 min period?


We have just started using the IT Essentials App, we are generating alarms based on thresholds being breached, the thresholds only seem to be available when for example a CPU peaks at 90%, what i am looking for is generating an alarm for when CPU peaks at 100% for a period of 10 mins.


Below is my spl, would using time_window = 15m suffice ? 


| mstats max(ps_metric.pctCPU) as val WHERE index = em_metrics OR index = itsi_im_metrics by host span=5m 
| eval val=100-val 
| rename host as host 
| eval host="host=".$host$ , id="ta_nix" 
| lookup itsi_entities entity_type_ids as id _itsi_identifier_lookups as host OUTPUT _key as entity_key, title, _itsi_informational_lookups as info_lookup, _itsi_identifier_lookups as alias_lookup 
| search entity_key != NULL 
| eval entity_type="Unix/Linux Add-on" 
| eval metric_name="CPU Usage Percent" 
| eval itsiSeverity=case(val <= 75, 2, val <= 90 and val > 75, 4, val > 90, 6) 
| eval itsiAlert=metric_name." alert for ".entity_type." entity type" 
| eval itsiDrilldownURI="/app/itsi/entity_detail?entity_key=".entity_key 
| eval itsiInstance=title 
| eval entity_title=title 
| eval itsiNotableTitle=title 
| eval val = round(val, 2) 
| eval itsiDetails = metric_name + " current value is " + val 
| eval sec_grp=default_itsi_security_group 
| eval alert_source="entity_type" 
| where IsNull(is_entity_in_maintenance) OR (is_entity_in_maintenance != 1) 
| fields - host


Labels (1)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...