Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search query to list top 3 cpu consuming windows processes per host?

manmah4u
Explorer
‎08-24-2014 11:41 PM

Hi,

I have around 100 windows hosts monitored by splunk server(6.0.1). I'm struggling to find a query which would list top 3 windows process consuming high cpu usage. I'm able to view all windows process host wise which is not my requirement. Top filter doesn't help as it lists top 3 processes among all host. I need top 3 process for every host. The query m using is as below.

earliest=-15m environment=prod source="Perfmon:Process"  counter="% Processor Time"   | where (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) by host,instance

Thanks,

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-25-2014 12:07 PM

Give this a try

earliest=-15m environment=prod source="Perfmon:Process"  counter="% Processor Time"  (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as AvgValue by host,instance | sort 0 -host,-AvgValue 
| streamstats count as sno by host | where sno>4 | fields - sno

The streamstats (after sort) will generate rank for AvgValue for each host and where clause will filter to leave only the top 3 AvgValue per host.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-25-2014 12:07 PM

Give this a try

earliest=-15m environment=prod source="Perfmon:Process"  counter="% Processor Time"  (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as AvgValue by host,instance | sort 0 -host,-AvgValue 
| streamstats count as sno by host | where sno>4 | fields - sno

The streamstats (after sort) will generate rank for AvgValue for each host and where clause will filter to leave only the top 3 AvgValue per host.

Reply
Solved! Jump to solution

manmah4u
Explorer
‎08-25-2014 08:32 PM

Thanks It works.

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎08-25-2014 12:35 AM

Try this!

(your search)|sort host - avg(Value) |dedup 3 host

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎08-25-2014 12:21 AM

Hi!

You can try to sort the search results by your processor time field and then show only the first 3 results with the head command. Should be something like this:

... | sort - "%Processor Time" | head 3

If your goal is to first calculate the average, like in your posted search query, then:

earliest=-15m environment=prod source="Perfmon:Process" counter="% Processor Time" | where (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as cputime by host,instance | sort - cputime | head 3
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...