- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Windows monitoring- high CPU % process - Splunk Al...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows monitoring- high CPU % process - Splunk Alert
Hello,
I wanted to setup alert in Splunk cloud for windows machines when CPU% is greater than 90.
Please do help how to set up the same.
My query is not working properly as expected.
index="index1" host=windows1 source="WMI:ProcessesCPU" | WHERE NOT Name="_Total" | WHERE NOT Name="System" | WHERE NOT Name="Idle" | streamstats dc(_time) as distinct_times | head (distinct_times == 1) | stats latest(PercentProcessorTime) as CPU% by Name | sort -ProcessorTime |eval AlertStatus=if('CPU%'> 90, "Alert", "Ignore") |search AlertStatus="Alert"
Inputs.conf file configurations
[WMI:ProcessesCPU]
interval = 60
wql = SELECT Name, PercentProcessorTime, PercentPrivilegedTime, PercentUserTime, ThreadCount FROM Win32_PerfFormattedData_PerfProc_Process WHERE PercentProcessorTime>0
disabled = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="index1" host=windows1 source="WMI:ProcessesCPU" PercentProcessorTime > 90
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa thank you for the response.But this won't help. Different processes will be coming in PercentProcessorTime. We need to check the total cpu % greater than 90.
Any other way ? Please do suggest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what's total?
sum? average? other?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa Total of all CPU processes in the windows machine. I am also confused whether to take sum or average in this case. Normally how we see as total cpu % in task manager in a windows machine . Also we need to check for real time
Below is the wql query written in wmi file
wql = SELECT Name, PercentProcessorTime, PercentPrivilegedTime, PercentUserTime, ThreadCount FROM Win32_PerfFormattedData_PerfProc_Process WHERE PercentProcessorTime>0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well, why do you use `| WHERE NOT Name="_Total"` ?
_Total is total cpu usage. so, I asked you.
in wql. where ... AND Name="_Total" is simple solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa Thank you for the help.
Also there is a requirement to find the high cpu consumption process not the total cpu % , how the query should be and what should be the wql query/ configuration file changes.
Thanks in advance
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
