Hello,
I have a report I have having issues with. It is for CPU Usage on laptops. I have tried the Stats perc() and the stats avg(). I get a lot of false positives, for insistence if a laptop get powered on for a couple of hours , there would be 8 data points, since the default is pull CPU usage every 15 mins. So 4 of the data points could be high CPU usage but that is explained but the bootup, patching and other scripts running. What we care about is is consistent CPU usage. SO we are monitoring the data points and for every data point that goes over 70% CPU then add one to the count Then over a week a we only want to see per machine when have more then 70 data point going over 70%. The change I am having is also want to get total count of data points as well. so we can take the total data points and compare it to the High CPU Data points and get a percentage of High Processor time
So this is the code I have and it works at telling me the data point over 70%. but when ever I try and play around with al adding a over all total I can not get it to work
index=wss_desktop_perfmon sourcetype="wks:Perf_Processor" %_Processor_Time > 69
| stats count as CPULoad avg(%_Processor_Time) as %_Processor_Time by host
| lookup local=true PrimaryUsers.csv host AS host OUTPUT host DeviceType FullName Location Address Model OSVer TotalPhysicalMemoryKB Email PrimaryUser Supervisor "Supervisor Email"
| search Location IN ("GA1*", "GA7*", "GA9*")
| where CPULoad > 70
| rename CPULoad as "High CPU DataPoint"
Host | High CPU DataPoint | %_Processor_Time |
Computer1 | 97 | 78.54106664 |
Now would like to add in a total count of data points from %_Processor_Time
If you're looking to count ALL data points, then you'll need to remove the >69 filter in the first search.
Try this
index=wss_desktop_perfmon sourcetype="wks:Perf_Processor"
| stats count as totalDataPoints count(eval('%_Processor_Time' > 69)) as CPULoad avg(eval(if('%_Processor_Time'>69,'_Processor_Time', null()))) as %_Processor_Time by host
for the first two lines. What this does is
Then when you have finished that stats, you have an extra field 'totalDataPoints' for each host as well as the original fields.
This worked great, there was just one minor update I had to do. I added the % on the second _processor_time
avg(eval(if('%_Processor_Time'>69,'%_Processor_Time', null())))
Ooops - my bad - well spotted 😀 - glad it worked
If you're looking to count ALL data points, then you'll need to remove the >69 filter in the first search.
Try this
index=wss_desktop_perfmon sourcetype="wks:Perf_Processor"
| stats count as totalDataPoints count(eval('%_Processor_Time' > 69)) as CPULoad avg(eval(if('%_Processor_Time'>69,'_Processor_Time', null()))) as %_Processor_Time by host
for the first two lines. What this does is
Then when you have finished that stats, you have an extra field 'totalDataPoints' for each host as well as the original fields.