- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Look up CPU data from another search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look up CPU data from another search
Edit: Now thinking about it, I probably could combine the two queries, in wmi.conf, into one. However, let's assume that isn't possible for sake of learning.
Edit2: You'd think the following search would work but it errors out: | eval NumCores=[ search index=perfmon sourcetype="WMI:processinfo" host="MYHOST" | return $NumberOfCores ]
I have two searches that need to be combined:
index=perfmon sourcetype="WMI:process" earliest=-3m Name!=_Total Name!=Idle | reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name | eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS) | search cputime > 0 AND cputime < 400 | timechart span=3 avg(cputime) by Name
index=perfmon sourcetype="WMI:processinfo"
| dedup host
| table host NumberOfCores
The idea is I want to be able to lookup CPU usage for each PC. Problem is I can only see overall usage, not per process. The first search allows me to do that; however, it depends on knowing the total CPU cores for that machine. If I want to put it in a dashboard (or automate it in any way), I need to be able to search it.
This is my wmi.conf on the server (for the app deployed to my forwarders).
[WMI:process]
index = perfmon
disabled = 0
interval = 450
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process
[WMI:processinfo]
index = perfmon
disabled = 0
interval = 86400
wql = SELECT * FROM Win32_Processor
Basically, I want to match the hostname from sourcetype WMI:process in the sourcetype WMI:processinfo, which looks for NumberOfCores. WMI:processinfo is only updated daily (may be even less than that) as it's mostly static info. I've tried things like append/subsearch/transaction/coalesce, but I don't think I'm using them properly. In my mind, it would work if NumberOfCores was inserted in each event where its hostname matched (aka if I could've combined both queries in my wmi.conf).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index=perfmon sourcetype="WMI:process" earliest=-3m Name!=_Total Name!=Idle
| sort 0 host _time
| streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by host Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0 AND cputime < 400
| bucket span=3 _time | stats avg(cputime) by _time host Name
| join host [search index=perfmon sourcetype="WMI:processinfo" earliest=-24h
| stats latest(NumberOfCores) as NumberOfCores by host]
| timechart span=3 avg(cputime) by Name
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
