Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Servers - High CPU usuage of process that is greater than 90

Supriya
Path Finder
‎09-21-2020 07:08 AM

Hi Team,

I wanted to set up alert in Splunk cloud for windows machines when CPU% of a single process is greater than 90.

Please do help how to write the Query

My below query is not working properly as expected.

index="index" host="windows" source="WMI:ProcessesCPU" | WHERE NOT Name="_Total" | WHERE NOT Name="System" | WHERE NOT Name="Idle"| streamstats dc(_time) as distinct_times | head (distinct_times == 1) | stats latest(PercentProcessorTime) as CPU% by Name | sort -ProcessorTime |eval AlertStatus=if('CPU%'> 90, "Alert", "Ignore") |search AlertStatus="Alert"

wmi.conf file configuration:

[WMI:ProcessesCPU]
interval = 60
wql = SELECT Name, PercentProcessorTime, PercentPrivilegedTime, PercentUserTime, ThreadCount FROM Win32_PerfFormattedData_PerfProc_Process WHERE PercentProcessorTime>0
disabled = 0

Supriya_0-1600696831150.png

Total of all CPU processes in the windows machine should be 100% as we see in task manager.

But I'm getting 100 % for each process which is wrong.

Could some one please help

Labels (5)
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-23-2020 03:27 PM

Your query has some errors

index="index" host="host" source="WMI:ProcessesCPU" 
| WHERE NOT Name="_Total" 
| WHERE NOT Name="System" 
| WHERE NOT Name="Idle" 
| streamstats dc(_time) as distinct_times 
| head (distinct_times == 1) 
| stats latest(PercentProcessorTime) as CPU% by Name 
| sort -ProcessorTime 
| eval AlertStatus=if('CPU%'> 90, "Alert", "Ignore") 
| search AlertStatus="Alert"

what are you trying to achieve with streamstats/head combination?

Also, you have no field ProcessorTime after your stats command, so the sort does nothing.

Trying to compare, what I imagine is Perfmon data to task manager process CPU will not work as they are not reporting the same data. It looks like you need to check what your field PercentProcessorTime is actually telling you. 

 

Reply

Supriya
Path Finder
‎09-23-2020 12:26 AM

@niketn 

Could you please help us with the above Question for which we are not getting expected output.

The below is the Query we used:

index="index" host="host" source="WMI:ProcessesCPU" | WHERE NOT Name="_Total" | WHERE NOT Name="System" | WHERE NOT Name="Idle" | streamstats dc(_time) as distinct_times | head (distinct_times == 1) | stats latest(PercentProcessorTime) as CPU% by Name | sort -ProcessorTime |eval AlertStatus=if('CPU%'> 90, "Alert", "Ignore") |search AlertStatus="Alert"

The output we received is in the above screenshot.

Tags (2)
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...