Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Query for Windows Process Names and CPU Utilizations

Raja_Selvaraj
Explorer
‎06-12-2024 08:18 AM

 

Hi all,

Can you please help me with the Splunk query to list the Windows Process Names and CPU utilizations for the particular hostname. I have made the query as follows:-

index=tuuk_perfmon source="Perfmon:Process" counter="% Processor Time" host=*hostname* (instance!="_Total" AND instance!="Idle" AND instance!="System") | eval 'CPU'=round(process_cpu_used_percent,2) | timechart latest('CPU') by process_name

 

With the above mentioned query, i can able to get the CPU utilization results for listed Windows Process names, but when analyzing the results, for particular time frame there are multiple 100% CPU utilization for mutiple Windows process names.

Could someone please suggest or validate whether i am getting valid results and also the reason for multiple 100% CPU utilization?

 

 

CPU.JPG

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-12-2024 03:12 PM

@Raja_Selvaraj 

Take a look at this article on Process\% Processor Time

https://learn.microsoft.com/en-us/archive/technet-wiki/12984.understanding-processor-processor-time-...

How many cores does your machine have?

 

0 Karma
Reply

Raja_Selvaraj
Explorer
‎06-13-2024 05:15 AM

Thanks for the reply!! Mostly 4 to 8 Cores for Windows Servers..

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-12-2024 01:21 PM
Process names, but when analyzing the results, for particular time frame there are multiple 100% CPU utilization for mutiple Windows process names.

Are these 100% utilization for multiple process names on a single host or multiple hosts?  Your last stats is | timechart latest('CPU') by process_name, which aggregates across all that match host=*hostname*.  Is there any reason why there must not be multiple 100%?

Maybe you are looking for groupby process_name AND host?

index=tuuk_perfmon source="Perfmon:Process" counter="% Processor Time" host=*hostname* (instance!="_Total" AND instance!="Idle" AND instance!="System") | eval 'CPU'=round(process_cpu_used_percent,2)
| timechart latest('CPU') by process_name host

The output will not be pretty but it's an idea.

0 Karma
Reply

Raja_Selvaraj
Explorer
‎06-13-2024 05:17 AM

Thanks for the reply!!

The stats i am looking for single windows servers.

| timechart latest('CPU') by process_name host

timechart followed by process_name host does not work

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...