I am writing a search which I intend to use to create an alert from. I keep getting "No Results" from this search unless I remove the third line (where Percent.........). Something is wrong with that filter but I can't seem to figure out what it is.
Here is the search:
index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time"
| eval level=if(PercentUsedSpace>=90,"CRITICAL",if(PercentUsedSpace>=80,"WARNING",""))
| where PercentUsedSpace >=80
| table level _time host Value
| sort - PercentUsedSpace
| dedup host
| rename level as severity
My intended result is something like this:
Severity Time Host Value
I would like to convert the results in the field to actual percentages.
Any help is appreciated. Thanks
Hello @dharveynswccd,
Try this :
index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time" PercentUsedSpace>=80
| stats values(Value) as Value by PercentUsedSpace, host , _time
| eval level=if(PercentUsedSpace>=90,"CRITICAL",if(PercentUsedSpace>=80,"WARNING",""))
| rename level as severity
Cheers,
David
Hello @dharveynswccd,
Try this :
index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time" PercentUsedSpace>=80
| stats values(Value) as Value by PercentUsedSpace, host , _time
| eval level=if(PercentUsedSpace>=90,"CRITICAL",if(PercentUsedSpace>=80,"WARNING",""))
| rename level as severity
Cheers,
David
@DavidHourani,
Thanks for the response to my question. Unfortunately I received the "no results" even after changing the Warning and Critical values to much lower numbers.
umm..weird..
Does the first line alone give you anything ?
index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time" PercentUsedSpace>=80
Wait now that I read it again, why are you filtering on used space when all your counters are linked to CPU ? The field PercentUsedSpace is not even part of your events is it ?
You are indeed correct. Earlier when I was writing the search I followed the auto-complete in the search bar which led me to that. I just changed that to windows_cpu_load_percent and I am now seeing results, even writing the search 2 different ways. I still need to dumb it down a little but the 2 below seem to work:
index=oswinperf sourcetype="Perfmon:CPU"
| bucket _time span=30m
| eval Load=if(windows_cpu_load_percent>=90,"CRITICAL",if(windows_cpu_load_percent>=80,"WARNING",""))
| table Load _time host windows_cpu_load_percent
| sort - count windows_cpu_load_percent
| dedup host
| rename Load as severity
I'm still trying to determine how to convert a decimal to a whole number in the percentage column. Any thoughts on this?
Ah that's great, glad you found the error there... really weird when the autocorrect happens.
You can use the round
function. something like this :
|eval windows_cpu_load_percent=round(windows_cpu_load_percent,0)
Worked! Thanks for the assists!!
David I awarded you 2 points. Hope that's a good reward. Not sure what the norm is.
Thank you ! 😄
Usually if you up-vote any comment/question/answer that gives 15 karma the person who posted it. If you Accept an answer that is 25 karma. So if you're into gathering karma point, just upvote and accept and keep your points ^^
Good 2 know
Edit: The second to last line here should read:
I would like to convert the results in the "Value" field to actual percentages