Splunk Search
Highlighted

Look up CPU data from another search

Contributor

Edit: Now thinking about it, I probably could combine the two queries, in wmi.conf, into one. However, let's assume that isn't possible for sake of learning.

Edit2: You'd think the following search would work but it errors out: | eval NumCores=[ search index=perfmon sourcetype="WMI:processinfo" host="MYHOST" | return $NumberOfCores ]

I have two searches that need to be combined:

index=perfmon sourcetype="WMI:process" earliest=-3m Name!=_Total Name!=Idle | reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name | eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS) | search cputime > 0 AND cputime < 400 |  timechart span=3 avg(cputime) by Name

index=perfmon sourcetype="WMI:processinfo" 
| dedup host
| table host NumberOfCores

The idea is I want to be able to lookup CPU usage for each PC. Problem is I can only see overall usage, not per process. The first search allows me to do that; however, it depends on knowing the total CPU cores for that machine. If I want to put it in a dashboard (or automate it in any way), I need to be able to search it.

This is my wmi.conf on the server (for the app deployed to my forwarders).

[WMI:process]
index = perfmon
disabled = 0
interval = 450
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process

[WMI:processinfo]
index = perfmon
disabled = 0
interval = 86400
wql = SELECT * FROM Win32_Processor

Basically, I want to match the hostname from sourcetype WMI:process in the sourcetype WMI:processinfo, which looks for NumberOfCores. WMI:processinfo is only updated daily (may be even less than that) as it's mostly static info. I've tried things like append/subsearch/transaction/coalesce, but I don't think I'm using them properly. In my mind, it would work if NumberOfCores was inserted in each event where its hostname matched (aka if I could've combined both queries in my wmi.conf).

0 Karma
Highlighted

Re: Look up CPU data from another search

SplunkTrust
SplunkTrust

Give this a try

index=perfmon sourcetype="WMI:process" earliest=-3m Name!=_Total Name!=Idle 
| sort 0 host _time 
| streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by host Name 
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS) 
| search cputime > 0 AND cputime < 400 
| bucket span=3 _time | stats avg(cputime) by _time host Name
| join host [search index=perfmon sourcetype="WMI:processinfo" earliest=-24h 
| stats latest(NumberOfCores) as NumberOfCores by host]
|  timechart span=3 avg(cputime) by Name
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.