Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Query for Windows Process Names and CPU Utilizations

Raja_Selvaraj
Explorer
‎06-12-2024 08:18 AM

 

Hi all,

Can you please help me with the Splunk query to list the Windows Process Names and CPU utilizations for the particular hostname. I have made the query as follows:-

index=tuuk_perfmon source="Perfmon:Process" counter="% Processor Time" host=*hostname* (instance!="_Total" AND instance!="Idle" AND instance!="System") | eval 'CPU'=round(process_cpu_used_percent,2) | timechart latest('CPU') by process_name

 

With the above mentioned query, i can able to get the CPU utilization results for listed Windows Process names, but when analyzing the results, for particular time frame there are multiple 100% CPU utilization for mutiple Windows process names.

Could someone please suggest or validate whether i am getting valid results and also the reason for multiple 100% CPU utilization?

 

 

CPU.JPG

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-12-2024 03:12 PM

@Raja_Selvaraj 

Take a look at this article on Process\% Processor Time

https://learn.microsoft.com/en-us/archive/technet-wiki/12984.understanding-processor-processor-time-...

How many cores does your machine have?

 

0 Karma
Reply

Raja_Selvaraj
Explorer
‎06-13-2024 05:15 AM

Thanks for the reply!! Mostly 4 to 8 Cores for Windows Servers..

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-12-2024 01:21 PM
Process names, but when analyzing the results, for particular time frame there are multiple 100% CPU utilization for mutiple Windows process names.

Are these 100% utilization for multiple process names on a single host or multiple hosts?  Your last stats is | timechart latest('CPU') by process_name, which aggregates across all that match host=*hostname*.  Is there any reason why there must not be multiple 100%?

Maybe you are looking for groupby process_name AND host?

index=tuuk_perfmon source="Perfmon:Process" counter="% Processor Time" host=*hostname* (instance!="_Total" AND instance!="Idle" AND instance!="System") | eval 'CPU'=round(process_cpu_used_percent,2)
| timechart latest('CPU') by process_name host

The output will not be pretty but it's an idea.

0 Karma
Reply

Raja_Selvaraj
Explorer
‎06-13-2024 05:17 AM

Thanks for the reply!!

The stats i am looking for single windows servers.

| timechart latest('CPU') by process_name host

timechart followed by process_name host does not work

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...