Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Query for Windows Process Names and CPU Utilizations

Raja_Selvaraj
Explorer
‎06-12-2024 08:18 AM

 

Hi all,

Can you please help me with the Splunk query to list the Windows Process Names and CPU utilizations for the particular hostname. I have made the query as follows:-

index=tuuk_perfmon source="Perfmon:Process" counter="% Processor Time" host=*hostname* (instance!="_Total" AND instance!="Idle" AND instance!="System") | eval 'CPU'=round(process_cpu_used_percent,2) | timechart latest('CPU') by process_name

 

With the above mentioned query, i can able to get the CPU utilization results for listed Windows Process names, but when analyzing the results, for particular time frame there are multiple 100% CPU utilization for mutiple Windows process names.

Could someone please suggest or validate whether i am getting valid results and also the reason for multiple 100% CPU utilization?

 

 

CPU.JPG

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-12-2024 03:12 PM

@Raja_Selvaraj 

Take a look at this article on Process\% Processor Time

https://learn.microsoft.com/en-us/archive/technet-wiki/12984.understanding-processor-processor-time-...

How many cores does your machine have?

 

0 Karma
Reply

Raja_Selvaraj
Explorer
‎06-13-2024 05:15 AM

Thanks for the reply!! Mostly 4 to 8 Cores for Windows Servers..

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-12-2024 01:21 PM
Process names, but when analyzing the results, for particular time frame there are multiple 100% CPU utilization for mutiple Windows process names.

Are these 100% utilization for multiple process names on a single host or multiple hosts?  Your last stats is | timechart latest('CPU') by process_name, which aggregates across all that match host=*hostname*.  Is there any reason why there must not be multiple 100%?

Maybe you are looking for groupby process_name AND host?

index=tuuk_perfmon source="Perfmon:Process" counter="% Processor Time" host=*hostname* (instance!="_Total" AND instance!="Idle" AND instance!="System") | eval 'CPU'=round(process_cpu_used_percent,2)
| timechart latest('CPU') by process_name host

The output will not be pretty but it's an idea.

0 Karma
Reply

Raja_Selvaraj
Explorer
‎06-13-2024 05:17 AM

Thanks for the reply!!

The stats i am looking for single windows servers.

| timechart latest('CPU') by process_name host

timechart followed by process_name host does not work

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Lantern is a Splunk customer success center that provides practical guidance from Splunk experts on key ...

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...