I would like to perform the following
each result returned by
source="wmi:cputime" daysago=30 | where PercentProcessorTime>=80 | stats count by host
divided by each result retuned by
source="wmi:cputime" daysago=30 | where PercentProcessorTime>=0 | stats count by host
I need this result in order to get the monthly usage of the resource per host. And idea? Cheers
I found the answer to my own question:
source="wmi:cputime" daysago=30 | stats count(eval(PercentProcessorTime>=80)) as Total_80, count(eval(PercentProcessorTime)) as Total by host| eval percentage=(Total_80/Total)*100
Note: a slightly simpler search would be just:
source="wmi:cputime" | stats count count(eval(PercentProcessorTime>=80)) as Total_80 by host| eval percentage=(Total_80/count)*100
It seems like the question here is: for events with a PercentProcessorTime field, what quantity are 80 or more? If wrong, maybe a rephrase of the question might clarify.
Try something like: source="wmi:cputime" daysago=30 PercentProcessorTime=* | eval cpu_business=if(PercentProcessorTime>=80, "busy", "not_so_busy") | stats count by host, cpu_business
thanks for the answer. What I'm looking for is the amount of time the cpu was over 805 in the last months.
So if th first query returns:
and the second:
I would like to write a single query to get:
Probably there is an easier way of getting the result, but at the moment I'm not getting it. any suggestions?