Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search the peak CPU usage and duration of that peak usage for each machine from Windows performance logs?

rwiley
Explorer
‎06-09-2016 06:16 AM

I am getting performance logs from several Windows servers. The value field shows the % of usage for each machine. I want to pull the peak usage from a given time range and show the peak and duration that it stayed at the peak usage for that time. I tried to use eval max, but I was not able to get it to return the data I needed.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-09-2016 11:52 AM

Try this

sourcetype="Perfmon:CPU Load" host=LOG01DLMNMO | table _time host, collection, counter, Value | sort 0 _time 
| dedup host, collection, counter, Value | streamstats current=f window=1 values(_time) as prev_time values(Value) as prev_value
| where isnotnull(prev_value) | eventstats max(prev_value) as max | where prev_value=max 
| eval duration=_time-prev_time | table host, collection, counter , prev_value , duration | rename prev_value as Peak_Value

View solution in original post

Reply
Solved! Jump to solution

minglani
New Member
‎02-28-2019 09:57 AM

This is really good script, I am stuggling to get this working, for CPU load % was to stay over 50% for 2 mins or more.

0 Karma
Reply
Solved! Jump to solution

jtrimmi1
Explorer
‎05-08-2019 12:23 PM

Nice, thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-09-2016 11:52 AM

Try this

sourcetype="Perfmon:CPU Load" host=LOG01DLMNMO | table _time host, collection, counter, Value | sort 0 _time 
| dedup host, collection, counter, Value | streamstats current=f window=1 values(_time) as prev_time values(Value) as prev_value
| where isnotnull(prev_value) | eventstats max(prev_value) as max | where prev_value=max 
| eval duration=_time-prev_time | table host, collection, counter , prev_value , duration | rename prev_value as Peak_Value
Reply
Solved! Jump to solution

rwiley
Explorer
‎06-09-2016 12:03 PM

thank you. this looks like what i needed.

0 Karma
Reply
Solved! Jump to solution

bhanue
New Member
‎01-26-2020 03:19 AM

Hi All,
I am very new to Splunk.

My organisation uses Splunk for all infra monitoring, I am trying to get the "Peak CPU average" (or) the highest CPU hit per instance in last 24 hours of all my Azure VM's.

I am able to get average average using bellow query, but I need peak average - Can you please help.

host=AZR* index="perfmon" source="Perfmon:CPU" counter="% Processor Time" | stats avg(Value) as avgcpu by host

host=AZR* index="perfmon" source="Perfmon:Memory" counter="% Committed Bytes In Use" | stats avg(Value) as AvgMemory by host

0 Karma
Reply
Solved! Jump to solution

minglani
New Member
‎03-01-2019 05:18 AM

This is really good script, I am stuggling to get this working, for CPU load % was to stay over 50% for 2 mins or more.

0 Karma
Reply
Solved! Jump to solution

suarezry
Builder
‎06-09-2016 06:26 AM

show us a sample of the events in splunk and what your desired results should be

0 Karma
Reply
Solved! Jump to solution

rwiley
Explorer
‎06-09-2016 06:44 AM

sourcetype="Perfmon:CPU Load" host=LOG01DLMNMO | table host, collection, counter, Value

host | collection | counter | Value
server |CPU Load | %Processor Time | 0.1346..

would like to see
host | collection | counter |peak value | duration of peak value

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...