Splunk Search

How to search the peak CPU usage and duration of that peak usage for each machine from Windows performance logs?

rwiley
Explorer

I am getting performance logs from several Windows servers. The value field shows the % of usage for each machine. I want to pull the peak usage from a given time range and show the peak and duration that it stayed at the peak usage for that time. I tried to use eval max, but I was not able to get it to return the data I needed.

0 Karma
1 Solution

somesoni2
Revered Legend

Try this

sourcetype="Perfmon:CPU Load" host=LOG01DLMNMO | table _time host, collection, counter, Value | sort 0 _time 
| dedup host, collection, counter, Value | streamstats current=f window=1 values(_time) as prev_time values(Value) as prev_value
| where isnotnull(prev_value) | eventstats max(prev_value) as max | where prev_value=max 
| eval duration=_time-prev_time | table host, collection, counter , prev_value , duration | rename prev_value as Peak_Value

View solution in original post

minglani
New Member

This is really good script, I am stuggling to get this working, for CPU load % was to stay over 50% for 2 mins or more.

0 Karma

jtrimmi1
Explorer

Nice, thanks!

0 Karma

somesoni2
Revered Legend

Try this

sourcetype="Perfmon:CPU Load" host=LOG01DLMNMO | table _time host, collection, counter, Value | sort 0 _time 
| dedup host, collection, counter, Value | streamstats current=f window=1 values(_time) as prev_time values(Value) as prev_value
| where isnotnull(prev_value) | eventstats max(prev_value) as max | where prev_value=max 
| eval duration=_time-prev_time | table host, collection, counter , prev_value , duration | rename prev_value as Peak_Value

rwiley
Explorer

thank you. this looks like what i needed.

0 Karma

bhanue
New Member

Hi All,
I am very new to Splunk.

My organisation uses Splunk for all infra monitoring, I am trying to get the "Peak CPU average" (or) the highest CPU hit per instance in last 24 hours of all my Azure VM's.

I am able to get average average using bellow query, but I need peak average - Can you please help.

host=AZR* index="perfmon" source="Perfmon:CPU" counter="% Processor Time" | stats avg(Value) as avgcpu by host

host=AZR* index="perfmon" source="Perfmon:Memory" counter="% Committed Bytes In Use" | stats avg(Value) as AvgMemory by host

0 Karma

minglani
New Member

This is really good script, I am stuggling to get this working, for CPU load % was to stay over 50% for 2 mins or more.

0 Karma

suarezry
Builder

show us a sample of the events in splunk and what your desired results should be

0 Karma

rwiley
Explorer

sourcetype="Perfmon:CPU Load" host=LOG01DLMNMO | table host, collection, counter, Value

host | collection | counter | Value
server |CPU Load | %Processor Time | 0.1346..

would like to see
host | collection | counter |peak value | duration of peak value

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...