Re: splunk search query for CPU usage

Atul1507 · ‎12-29-2021

Hi i am new to splunk.
i have splink event like this
" system CPU | 6.039 % | system time | 0.009 % |

how can i get avg CPU % usage value against index type ? via report or dashboards.

Atul1507 · ‎12-29-2021

i tried these query ..but not seeing any output in CPU_perc field.

gcusello · ‎12-29-2021

please, what out do you have in

index=*
| rex "system CPU\|(?<CPU_perc>\d+)\s+\%"
| table CPU_perc

?

if you haven't any result, the field extraction is wrong, in this case, please share more examples of your data.

If instead you have results, please share some of them.

Ciao.

Giuseppe

Atul1507 · ‎12-29-2021

cant share more details as its client server.

but there is no field extracted for CPU

gcusello · ‎12-29-2021

hi @Atul1507,

please, send some log, masking the relevant data (e.g. hostname or IP address), but maintain the data structure.

Ciao.

Giuseppe

Atul1507 · ‎12-30-2021

gcusello · ‎12-31-2021

Hi @Atul1507,

please try this sample:

| makeresults 
| eval ppp="XXXXXXXXXXXXXXXXXXXXX gsystem.cpp:XXX] System_GSystem|GSystemWatcher|Idle|involuntary context switches|0|user time|0.48%|system time|0.45%|system CPU|7.14687%|iowait|0.0224%"
| append [ | makeresults | eval ppp="XXXXXXXXXXXXXXXXXXXXX gsystem.cpp:XXX] System_GSystem|GSystemWatcher|Idle|involuntary context switches|0|user time|0.48%|system time|0.45%|system CPU|12.14687%|iowait|0.0224%" ]
| rex field=ppp "CPU\|(?<system_CPU>[^\%]+)"
| stats avg(system_CPU)

Ciao.

Giuseppe

Atul1507 · ‎01-03-2022

Thanks,

But this query seems to be specefic to fix inputs.....while all this values are subjecteedd to change dynamically.

What i want to calculate average % usage of field "system CPU".

I HAVE other fields extracted like : index type,host,sourcetype.

so i can create dasboards for cpu usage by index type,host,sourcetype.

Note: we dont have extracted field for cpu percentage (CPU_perc)

gcusello · ‎01-03-2022

Hi @Atul1507,

as @isoutamo said (thanks to @isoutamo), in my answer you have to find the approach to solve your need, not the full solution to all your needs, also because I can only a subset of your real data.

As he said, I used the | makeresults rows to have your data in my search, but in your real condition, you surely have a search that extract the data to use in this search.

So, analyze my answer to understand the approach to follow and adapt it to your real situation:

extract all the fields you need, not only the one I used in the sample,
use, in the stats command, the BY cause to group the results for index or host or sourcetype, etc...

Ciao.

Giuseppe

isoutamo · ‎01-03-2022

Hi
In @gcusello 's answer, he will use your given data as a sample. That was lines between makeresults ... rex. In real life you should add from "| rex ..." after that SPL which you are using to generate that sample data. And as you probably have this data on "field" _raw then you should remove field=ppp from rex or replace it as "field = _raw" (or what ever that field is where you sample data is).

Yes, you can generate that data on dashboard with stats ... by index, host, sourcetype.
r. Ismo

gcusello · ‎12-29-2021

Hi @Atul1507,

if you have many evevnts like the one you shared, do you want to calculate the average or the max value of CPU usage?

supposing that you already have the extraction of the CPU usave percentage, in numbers (without the % char)) and If average, please, try something like this:

index=*
| stats avg(CPU_perc) AS CPU_perc BY index

If instead you didn't extracted the CPU_perc field, please try something like this (always calculating average):

index=*
| rex "system CPU\|(?<CPU_perc>[^ ]+)\s+\%"
| eval CPU_perc=tonumber(CPU_perc)
| stats avg(CPU_perc) AS CPU_perc BY index

Ciao.

Giuseppe

splunk search query for CPU usage

chart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!