Splunk Search

splunk search query for CPU usage

Atul1507
Loves-to-Learn Lots

Hi i am new to splunk.
i have splink event like this
" system CPU | 6.039 % | system time | 0.009 % |


how can i get avg CPU % usage value against index type ? via report or dashboards.

 

Labels (1)
0 Karma

Atul1507
Loves-to-Learn Lots

i tried these query ..but not seeing any output in CPU_perc field.

0 Karma

gcusello
Legend

Hi @Atul1507,

please, what out do you have in

index=*
| rex "system CPU\|(?<CPU_perc>\d+)\s+\%"
| table CPU_perc

?

if you haven't any result, the field extraction is wrong, in this case, please share more examples of your data.

If instead you have results, please share some of them.

Ciao.

Giuseppe

0 Karma

Atul1507
Loves-to-Learn Lots

cant share more details as its client server.

 

but there is no field extracted for CPU

0 Karma

gcusello
Legend

hi @Atul1507,

please, send some log, masking the relevant data (e.g. hostname or IP address), but maintain the data structure.

Ciao.

Giuseppe

0 Karma

Atul1507
Loves-to-Learn Lots

XXXXXXXXXXXXXXXXXXXXX gsystem.cpp:XXX] System_GSystem|GSystemWatcher|Idle|involuntary context switches|0|user time|0.48%|system time|0.45%|system CPU|7.14687%|iowait|0.0224%
XXXXXXXXXXXXXXXXXXXXX gsystem.cpp:XXX] System_GSystem|GSystemWatcher|Health|ProcMaxGB|0|ProcAlertGB|0|CurrentGB|16|SysMinFreePct|10|SysAlertFreePct|30|FreePct|77
XXXXXXXXXXXXXXXXXXXXX gsystem.cpp:XXX] System_GSystem|GSystemWatcher|Idle|involuntary context switches|0|user time|0.46%|system time|0.44%|system CPU|7.11321%|iowait|0.056%
XXXXXXXXXXXXXXXXXXXXX gsystem.cpp:XXX] System_GSystem|GSystemWatcher|Health|ProcMaxGB|0|ProcAlertGB|0|CurrentGB|16|SysMinFreePct|10|SysAlertFreePct|30|FreePct|77
XXXXXXXXXXXXXXXXXXXXX gsystem.cpp:XXX] System_GSystem|GSystemWatcher|Idle|involuntary context switches|0|user time|0.61%|system time|0.46%|system CPU|8.64004%|iowait|0.0448%
XXXXXXXXXXXXXXXXXXXXX"60 gsystem.cpp:XXX] System_GSystem|GSystemWatcher|Health|ProcMaxGB|0|ProcAlertGB|0|CurrentGB|16|SysMinFreePct|10|SysAlertFreePct|30|FreePct|77

0 Karma

gcusello
Legend

Hi @Atul1507,

please try this sample:

 

| makeresults 
| eval ppp="XXXXXXXXXXXXXXXXXXXXX gsystem.cpp:XXX] System_GSystem|GSystemWatcher|Idle|involuntary context switches|0|user time|0.48%|system time|0.45%|system CPU|7.14687%|iowait|0.0224%"
| append [ | makeresults | eval ppp="XXXXXXXXXXXXXXXXXXXXX gsystem.cpp:XXX] System_GSystem|GSystemWatcher|Idle|involuntary context switches|0|user time|0.48%|system time|0.45%|system CPU|12.14687%|iowait|0.0224%" ]
| rex field=ppp "CPU\|(?<system_CPU>[^\%]+)"
| stats avg(system_CPU)

 

Ciao.

Giuseppe

0 Karma

Atul1507
Loves-to-Learn Lots

Thanks,

 

But this query seems to be specefic to fix inputs.....while all this values are subjecteedd to change dynamically.

 

 

What i want to calculate average % usage of field "system CPU".

I HAVE  other fields extracted like : index type,host,sourcetype.

 

so i can create dasboards for cpu usage by  index type,host,sourcetype.

 

Note: we dont have extracted field for cpu percentage (CPU_perc)

0 Karma

gcusello
Legend

Hi @Atul1507,

as @isoutamo said (thanks to @isoutamo), in my answer you have to find the approach to solve your need, not the full solution to all your needs, also because I can only a subset of your real data.

As he said, I used the | makeresults rows to have your data in my search, but in your real condition, you surely have a search that extract the data to use in this search.

So, analyze my answer to understand the approach to follow and adapt it to your real situation:

  • extract all the fields you need, not only the one I used in the sample,
  • use, in the stats command, the BY cause to group the results for index or host or sourcetype, etc...

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
In @gcusello 's answer, he will use your given data as a sample. That was lines between makeresults ... rex. In real life you should add from "| rex ..." after that SPL which you are using to generate that sample data. And as you probably have this data on "field" _raw then you should remove field=ppp from rex or replace it as "field = _raw" (or what ever that field is where you sample data is).

Yes, you can generate that data on dashboard with stats ... by index, host, sourcetype.
r. Ismo
0 Karma

gcusello
Legend

Hi @Atul1507,

if you have many evevnts like the one you shared, do you want to calculate the average or the max value of CPU usage?

supposing that you already have the extraction of the CPU usave percentage, in numbers (without the % char)) and If average, please, try something like this:

index=*
| stats avg(CPU_perc) AS CPU_perc BY index

If instead you didn't extracted the CPU_perc field, please try something like this (always calculating average):

index=*
| rex "system CPU\|(?<CPU_perc>[^ ]+)\s+\%"
| eval CPU_perc=tonumber(CPU_perc)
| stats avg(CPU_perc) AS CPU_perc BY index

Ciao.

Giuseppe

 

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>