Splunk Search

Requesting Assistance Writing a Search Request

dharveynswccd
Path Finder

I am writing a search which I intend to use to create an alert from. I keep getting "No Results" from this search unless I remove the third line (where Percent.........). Something is wrong with that filter but I can't seem to figure out what it is.

Here is the search:

index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time"
| eval level=if(PercentUsedSpace>=90,"CRITICAL",if(PercentUsedSpace>=80,"WARNING",""))
| where PercentUsedSpace >=80
| table level _time host Value
| sort - PercentUsedSpace
| dedup host
| rename level as severity

My intended result is something like this:
Severity Time Host Value

I would like to convert the results in the field to actual percentages.

Any help is appreciated. Thanks

Tags (1)
1 Solution

DavidHourani
Super Champion

Hello @dharveynswccd,

Try this :

index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time" PercentUsedSpace>=80
| stats values(Value) as Value by PercentUsedSpace, host , _time
| eval level=if(PercentUsedSpace>=90,"CRITICAL",if(PercentUsedSpace>=80,"WARNING",""))
| rename level as severity

Cheers,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hello @dharveynswccd,

Try this :

index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time" PercentUsedSpace>=80
| stats values(Value) as Value by PercentUsedSpace, host , _time
| eval level=if(PercentUsedSpace>=90,"CRITICAL",if(PercentUsedSpace>=80,"WARNING",""))
| rename level as severity

Cheers,
David

0 Karma

dharveynswccd
Path Finder

@DavidHourani,
Thanks for the response to my question. Unfortunately I received the "no results" even after changing the Warning and Critical values to much lower numbers.

0 Karma

DavidHourani
Super Champion

umm..weird..

Does the first line alone give you anything ?

 index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time" PercentUsedSpace>=80
0 Karma

DavidHourani
Super Champion

Wait now that I read it again, why are you filtering on used space when all your counters are linked to CPU ? The field PercentUsedSpace is not even part of your events is it ?

0 Karma

dharveynswccd
Path Finder

You are indeed correct. Earlier when I was writing the search I followed the auto-complete in the search bar which led me to that. I just changed that to windows_cpu_load_percent and I am now seeing results, even writing the search 2 different ways. I still need to dumb it down a little but the 2 below seem to work:

index=oswinperf sourcetype="Perfmon:CPU"
| bucket _time span=30m
| eval Load=if(windows_cpu_load_percent>=90,"CRITICAL",if(windows_cpu_load_percent>=80,"WARNING",""))
| table Load _time host windows_cpu_load_percent

| sort - count windows_cpu_load_percent
| dedup host
| rename Load as severity

I'm still trying to determine how to convert a decimal to a whole number in the percentage column. Any thoughts on this?

0 Karma

DavidHourani
Super Champion

Ah that's great, glad you found the error there... really weird when the autocorrect happens.

You can use the round function. something like this :

|eval windows_cpu_load_percent=round(windows_cpu_load_percent,0)
0 Karma

dharveynswccd
Path Finder

Worked! Thanks for the assists!!

dharveynswccd
Path Finder

David I awarded you 2 points. Hope that's a good reward. Not sure what the norm is.

DavidHourani
Super Champion

Thank you ! 😄

Usually if you up-vote any comment/question/answer that gives 15 karma the person who posted it. If you Accept an answer that is 25 karma. So if you're into gathering karma point, just upvote and accept and keep your points ^^

0 Karma

dharveynswccd
Path Finder

Good 2 know

0 Karma

dharveynswccd
Path Finder

Edit: The second to last line here should read:

I would like to convert the results in the "Value" field to actual percentages

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...