Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search query to list top 3 cpu consuming windows processes per host?

manmah4u
Explorer
‎08-24-2014 11:41 PM

Hi,

I have around 100 windows hosts monitored by splunk server(6.0.1). I'm struggling to find a query which would list top 3 windows process consuming high cpu usage. I'm able to view all windows process host wise which is not my requirement. Top filter doesn't help as it lists top 3 processes among all host. I need top 3 process for every host. The query m using is as below.

earliest=-15m environment=prod source="Perfmon:Process"  counter="% Processor Time"   | where (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) by host,instance

Thanks,

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-25-2014 12:07 PM

Give this a try

earliest=-15m environment=prod source="Perfmon:Process"  counter="% Processor Time"  (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as AvgValue by host,instance | sort 0 -host,-AvgValue 
| streamstats count as sno by host | where sno>4 | fields - sno

The streamstats (after sort) will generate rank for AvgValue for each host and where clause will filter to leave only the top 3 AvgValue per host.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-25-2014 12:07 PM

Give this a try

earliest=-15m environment=prod source="Perfmon:Process"  counter="% Processor Time"  (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as AvgValue by host,instance | sort 0 -host,-AvgValue 
| streamstats count as sno by host | where sno>4 | fields - sno

The streamstats (after sort) will generate rank for AvgValue for each host and where clause will filter to leave only the top 3 AvgValue per host.

Reply
Solved! Jump to solution

manmah4u
Explorer
‎08-25-2014 08:32 PM

Thanks It works.

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎08-25-2014 12:35 AM

Try this!

(your search)|sort host - avg(Value) |dedup 3 host

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎08-25-2014 12:21 AM

Hi!

You can try to sort the search results by your processor time field and then show only the first 3 results with the head command. Should be something like this:

... | sort - "%Processor Time" | head 3

If your goal is to first calculate the average, like in your posted search query, then:

earliest=-15m environment=prod source="Perfmon:Process" counter="% Processor Time" | where (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as cputime by host,instance | sort - cputime | head 3
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...