Dashboards & Visualizations

How to display top 10 CPU intensive windows processes using Splunk Dashboard

rahulsaxena015
New Member

Hi Team,

I am developing a dashboard that will list Windows Processes that are CPU intensive. My query looks like below:

index=platform_connect_os earliest=-5m host=host* source="Perfmon:Process" counter="% Processor Time" (instance!="_Total" AND instance!="Idle" AND instance!="System") | stats avg(Value) as "CPU Time by Host" by host ,instance| sort 0 -host,-AvgValue | streamstats count as sno by host | where sno>4 | fields - sno

I am getting the below output:
alt text

Can someone confirm whether the results are correct or not? What is the unit of CPU Time by Host. I can't understand these numbers. Basically i want to display something like below:
alt text

I want to list process followed by CPU in human readable format in Splunk dashboard.

Please help.

Thanks,
Rahul

Tags (1)
0 Karma

rahulsaxena015
New Member

Based on your suggestions i added wmi.conf file and executed below query:

index=windows host=host* sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| stats avg(cputime) as cputime by _time,host,Name
| rex field=Name "(?[^#]*)#{0,}"
| stats sum(cputime) as cputime by _time,host,Command
| timechart limit=50 useother=f avg(cputime) as cputime by Command

This query returns an error: "Error in 'rex' command: Encountered the following error while compiling the regex '(?[^#]*)#{0,}': Regex: unrecognized character after (? or (?- "

I am not sure where in regex it is failing. Can you help please?

At the same time if i execute the following query, it works without any problem:

index=windows hosts=host* sourcetype="WMI:process" Name!=_Total Name!=Idle
| reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS)
| search cputime > 0
| timechart limit=50 useother=f avg(cputime) by Name

0 Karma

adonio
SplunkTrust
SplunkTrust

hello there,

you are on the right track, leveraging the right values and fields.
can you elaborate on what is it exactly you would like to accomplish? its hard for me to understand if you would like to see cpu by a single host? across hosts? per process?
worthwhile to pay attention to your perfmon counter pull interval, check in inputs.conf.
lastly, many articles about your use case, start here:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorWindowsperformance
describes some caveats on this particular counter (roll almost all the way down)
and more articles and answers:
https://answers.splunk.com/answers/122302/how-to-get-a-good-measure-of-load-or-cpu-utilization-in-wi...
https://www.octamis.com/octamis-blog/windows-performance-monitoring-tips-with-splunk/
there are plenty more out there

hope it helps

0 Karma

rahulsaxena015
New Member

Thanks for your response. I want to list processes that are consuming CPU when CPU usage goes to >=70%.

Eg. Say if McAfee is utilizing max CPU usage i should be able to see that in my dashboard.

My current query results CPU Time as 21.2222 but i want it to display in %. Say if McAfee is using 75% of CPU, i should be able to see on Dashboard McAfee under Instance and 75% under CPU Time by Host

Hope it clarifies.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!