Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Query for Windows Process Names and CPU Utilizations

Raja_Selvaraj
Loves-to-Learn Lots
‎06-12-2024 08:18 AM

 

Hi all,

Can you please help me with the Splunk query to list the Windows Process Names and CPU utilizations for the particular hostname. I have made the query as follows:-

index=tuuk_perfmon source="Perfmon:Process" counter="% Processor Time" host=*hostname* (instance!="_Total" AND instance!="Idle" AND instance!="System") | eval 'CPU'=round(process_cpu_used_percent,2) | timechart latest('CPU') by process_name

 

With the above mentioned query, i can able to get the CPU utilization results for listed Windows Process names, but when analyzing the results, for particular time frame there are multiple 100% CPU utilization for mutiple Windows process names.

Could someone please suggest or validate whether i am getting valid results and also the reason for multiple 100% CPU utilization?

 

 

CPU.JPG

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-12-2024 03:12 PM

@Raja_Selvaraj 

Take a look at this article on Process\% Processor Time

https://learn.microsoft.com/en-us/archive/technet-wiki/12984.understanding-processor-processor-time-...

How many cores does your machine have?

 

0 Karma
Reply

Raja_Selvaraj
Loves-to-Learn Lots
‎06-13-2024 05:15 AM

Thanks for the reply!! Mostly 4 to 8 Cores for Windows Servers..

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-12-2024 01:21 PM
Process names, but when analyzing the results, for particular time frame there are multiple 100% CPU utilization for mutiple Windows process names.

Are these 100% utilization for multiple process names on a single host or multiple hosts?  Your last stats is | timechart latest('CPU') by process_name, which aggregates across all that match host=*hostname*.  Is there any reason why there must not be multiple 100%?

Maybe you are looking for groupby process_name AND host?

index=tuuk_perfmon source="Perfmon:Process" counter="% Processor Time" host=*hostname* (instance!="_Total" AND instance!="Idle" AND instance!="System") | eval 'CPU'=round(process_cpu_used_percent,2)
| timechart latest('CPU') by process_name host

The output will not be pretty but it's an idea.

0 Karma
Reply

Raja_Selvaraj
Loves-to-Learn Lots
‎06-13-2024 05:17 AM

Thanks for the reply!!

The stats i am looking for single windows servers.

| timechart latest('CPU') by process_name host

timechart followed by process_name host does not work

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
li.common.scroll-to.top