Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Query for Windows Process Names and CPU Utilizations

Raja_Selvaraj
Explorer
‎06-12-2024 08:18 AM

 

Hi all,

Can you please help me with the Splunk query to list the Windows Process Names and CPU utilizations for the particular hostname. I have made the query as follows:-

index=tuuk_perfmon source="Perfmon:Process" counter="% Processor Time" host=*hostname* (instance!="_Total" AND instance!="Idle" AND instance!="System") | eval 'CPU'=round(process_cpu_used_percent,2) | timechart latest('CPU') by process_name

 

With the above mentioned query, i can able to get the CPU utilization results for listed Windows Process names, but when analyzing the results, for particular time frame there are multiple 100% CPU utilization for mutiple Windows process names.

Could someone please suggest or validate whether i am getting valid results and also the reason for multiple 100% CPU utilization?

 

 

CPU.JPG

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-12-2024 03:12 PM

@Raja_Selvaraj 

Take a look at this article on Process\% Processor Time

https://learn.microsoft.com/en-us/archive/technet-wiki/12984.understanding-processor-processor-time-...

How many cores does your machine have?

 

0 Karma
Reply

Raja_Selvaraj
Explorer
‎06-13-2024 05:15 AM

Thanks for the reply!! Mostly 4 to 8 Cores for Windows Servers..

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-12-2024 01:21 PM
Process names, but when analyzing the results, for particular time frame there are multiple 100% CPU utilization for mutiple Windows process names.

Are these 100% utilization for multiple process names on a single host or multiple hosts?  Your last stats is | timechart latest('CPU') by process_name, which aggregates across all that match host=*hostname*.  Is there any reason why there must not be multiple 100%?

Maybe you are looking for groupby process_name AND host?

index=tuuk_perfmon source="Perfmon:Process" counter="% Processor Time" host=*hostname* (instance!="_Total" AND instance!="Idle" AND instance!="System") | eval 'CPU'=round(process_cpu_used_percent,2)
| timechart latest('CPU') by process_name host

The output will not be pretty but it's an idea.

0 Karma
Reply

Raja_Selvaraj
Explorer
‎06-13-2024 05:17 AM

Thanks for the reply!!

The stats i am looking for single windows servers.

| timechart latest('CPU') by process_name host

timechart followed by process_name host does not work

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...