Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search query to list top 3 cpu consuming windows processes per host?

manmah4u
Explorer
‎08-24-2014 11:41 PM

Hi,

I have around 100 windows hosts monitored by splunk server(6.0.1). I'm struggling to find a query which would list top 3 windows process consuming high cpu usage. I'm able to view all windows process host wise which is not my requirement. Top filter doesn't help as it lists top 3 processes among all host. I need top 3 process for every host. The query m using is as below.

earliest=-15m environment=prod source="Perfmon:Process"  counter="% Processor Time"   | where (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) by host,instance

Thanks,

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-25-2014 12:07 PM

Give this a try

earliest=-15m environment=prod source="Perfmon:Process"  counter="% Processor Time"  (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as AvgValue by host,instance | sort 0 -host,-AvgValue 
| streamstats count as sno by host | where sno>4 | fields - sno

The streamstats (after sort) will generate rank for AvgValue for each host and where clause will filter to leave only the top 3 AvgValue per host.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-25-2014 12:07 PM

Give this a try

earliest=-15m environment=prod source="Perfmon:Process"  counter="% Processor Time"  (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as AvgValue by host,instance | sort 0 -host,-AvgValue 
| streamstats count as sno by host | where sno>4 | fields - sno

The streamstats (after sort) will generate rank for AvgValue for each host and where clause will filter to leave only the top 3 AvgValue per host.

Reply
Solved! Jump to solution

manmah4u
Explorer
‎08-25-2014 08:32 PM

Thanks It works.

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎08-25-2014 12:35 AM

Try this!

(your search)|sort host - avg(Value) |dedup 3 host

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎08-25-2014 12:21 AM

Hi!

You can try to sort the search results by your processor time field and then show only the first 3 results with the head command. Should be something like this:

... | sort - "%Processor Time" | head 3

If your goal is to first calculate the average, like in your posted search query, then:

earliest=-15m environment=prod source="Perfmon:Process" counter="% Processor Time" | where (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as cputime by host,instance | sort - cputime | head 3
0 Karma
Reply
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...
Top