Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Windows PerfMon stats -- unable to create total_cp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'm having difficulty trying to create a total_cpu field. If I map a single variable to it, this works fine and creates the field, but if I try to add them together, no field is returned.
Current query below:
sourcetype="Perfmon:Processor" host="CFDFXNFR-APP22" instance=_Total AND (counter="% User Time" OR counter="% Privileged Time" OR counter="% Interrupt Time") |
eval user=if(counter="% User Time", Value, null()) |
eval system=if(counter="% Privileged Time", Value, null()) |
eval interrupt=if(counter="% Interrupt Time", Value, null()) |
eval total_cpu=user+system+interrupt |
timechart per_second(user) as user, per_second(system) as system, per_second(idle) as idle, per_second(interrupt) as interrupt, per_second(total_cpu) as total_cpu by host limit=100 span=1s
Does anyone have any insight into what may be going wrong here?
Many thanks in advance!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There will be one row per counter, out of 3 rows per run of Perfmon, field user will be null for rows with count != "% User Time". Same is the case with other two fields. Try something like this
sourcetype="Perfmon:Processor" host="CFDFXNFR-APP22" instance=_Total AND (counter="% User Time" OR counter="% Privileged Time" OR counter="% Interrupt Time")| eval user=if(counter="% User Time", Value, null()) | eval system=if(counter="% Privileged Time", Value, null()) | eval interrupt=if(counter="% Interrupt Time", Value, null()| stats values(user) as user, values(system) as system values(interrupt) as interrupt by _time,host | eval total_cpu=user+system+interrupt | timechart per_second(user) as user, per_second(system) as system, per_second(interrupt) as interrupt, per_second(total_cpu) as total_cpu by host limit=100 span=1s
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There will be one row per counter, out of 3 rows per run of Perfmon, field user will be null for rows with count != "% User Time". Same is the case with other two fields. Try something like this
sourcetype="Perfmon:Processor" host="CFDFXNFR-APP22" instance=_Total AND (counter="% User Time" OR counter="% Privileged Time" OR counter="% Interrupt Time")| eval user=if(counter="% User Time", Value, null()) | eval system=if(counter="% Privileged Time", Value, null()) | eval interrupt=if(counter="% Interrupt Time", Value, null()| stats values(user) as user, values(system) as system values(interrupt) as interrupt by _time,host | eval total_cpu=user+system+interrupt | timechart per_second(user) as user, per_second(system) as system, per_second(interrupt) as interrupt, per_second(total_cpu) as total_cpu by host limit=100 span=1s
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome, that's fixed it!!! Many many thanks!
Had to put an if(isnull(interrupt),0,interrupt) in to get it working properly, but this was spot-on.
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...
Reduce and Transform Your Firewall Data with Splunk Data Management
