Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If CPU is > 95 for more than 5 minutes < -- how do you write the syntax?

Jarohnimo
Builder
‎06-09-2017 01:47 PM

Hello all,

I know it's possible to find values via greater than, less than or equal to in your search queries. Is it possible to add more arguments to request that the value has to be that way for at least 5 minutes, if so then return the results. In the end i wish to have an alert be sent out if any CPU is above 95% for more than 5 minutes, send an alert. We don't want an alert if its just hitting the ceilling and coming back down, we want it if it's on fire (a real problem).

I was trying something like

index=blah counter=% Processor Time" Sourcetype="perfmon:processor" Value > 95 span=5m | timechart etc.etc.etc...

I believe it's possible but i just need help getting the syntax correct.

Thanks in advance.

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-09-2017 02:53 PM

Here's the problem - If you limit your search results to >95, then you don't know that every result in a given time period would have been > 95. You only know that the max for that time period was at least 95. Instead, you want the min for the time period that you are checking over. Adjust the name of the cpu/host field as needed. 

index=blah counter="% Processor Time" Sourcetype="perfmon:processor" 
earliest=-5m latest=now
| stats min(Value) as minValue by host
| where minValue>95

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-09-2017 02:53 PM

Here's the problem - If you limit your search results to >95, then you don't know that every result in a given time period would have been > 95. You only know that the max for that time period was at least 95. Instead, you want the min for the time period that you are checking over. Adjust the name of the cpu/host field as needed. 

index=blah counter="% Processor Time" Sourcetype="perfmon:processor" 
earliest=-5m latest=now
| stats min(Value) as minValue by host
| where minValue>95
0 Karma
Reply
Solved! Jump to solution

Jarohnimo
Builder
‎06-09-2017 04:01 PM

So instead of limiting my results I filter it with where.. nice!!

My end game is an alert,
So the way I assume it will work is if any host has their CPU above 95%,
In real time search
that -5 is t starting point and the now is present, so as long as the value remains for atleast 5 minutes Splunk will alert me at the 5 minute mark?

Thanks

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎06-11-2017 12:15 PM

@jarahnimo - you got it. Basically, the time range limits to the last 5 minutes, and then the min(Value) ensures that the CPU usage has not fallen below 95. Any CPU that didn't report at all, won't be included, but then their usage wasn't above 95%, so that would be a different alert anyway.

Now, you might want to verify how long, on average, your system takes to index and post the scores. If it takes an average of 5 seconds, and a 95th percentile of 8 seconds, then you might want to use...

earliest=-309s latest=-9s
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...