Solved: Need Help with query

omprakash9998 · ‎02-11-2021

Trying build a time chart for Top 10 CPU consuming Processes for a Linux host for a given timeframe.

index=os host=xxxxxx source=top pctCPU != 0.0 
| table COMMAND, pctCPU _time | sort - pctCPU | dedup COMMAND | head 10

I am trying to get a timechart based for the pctCPU usage only for these 10 COMMANDS.

Thanks

ITWhisperer · ‎02-11-2021

You could try something like this

index=os host=xxxxxx source=top pctCPU != 0.0 
| fields COMMAND, pctCPU _time 
| eventstats max(pctCPU) as maxpctCPU by COMMAND
| sort - maxpctCPU COMMAND
| streamstats dc(COMMAND) as rank
| where rank <= 10
| fields - rank maxpctCPU
| timechart span=1h max(pctCPU) as maxpctCPU by COMMAND

View solution in original post

ITWhisperer · ‎02-11-2021

You could try something like this

index=os host=xxxxxx source=top pctCPU != 0.0 
| fields COMMAND, pctCPU _time 
| eventstats max(pctCPU) as maxpctCPU by COMMAND
| sort - maxpctCPU COMMAND
| streamstats dc(COMMAND) as rank
| where rank <= 10
| fields - rank maxpctCPU
| timechart span=1h max(pctCPU) as maxpctCPU by COMMAND

Need Help with query

subsearch

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Data Management Digest – May 2026

Index This | What is feather-light but cannot be held long?

.conf26 Registration is Live: Secure Your Early Bird Pass Now

Join the Conversation