Splunk Search

How to search the peak CPU usage and duration of that peak usage for each machine from Windows performance logs?

rwiley
Explorer

I am getting performance logs from several Windows servers. The value field shows the % of usage for each machine. I want to pull the peak usage from a given time range and show the peak and duration that it stayed at the peak usage for that time. I tried to use eval max, but I was not able to get it to return the data I needed.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

sourcetype="Perfmon:CPU Load" host=LOG01DLMNMO | table _time host, collection, counter, Value | sort 0 _time 
| dedup host, collection, counter, Value | streamstats current=f window=1 values(_time) as prev_time values(Value) as prev_value
| where isnotnull(prev_value) | eventstats max(prev_value) as max | where prev_value=max 
| eval duration=_time-prev_time | table host, collection, counter , prev_value , duration | rename prev_value as Peak_Value

View solution in original post

minglani
New Member

This is really good script, I am stuggling to get this working, for CPU load % was to stay over 50% for 2 mins or more.

0 Karma

jtrimmi1
Explorer

Nice, thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

sourcetype="Perfmon:CPU Load" host=LOG01DLMNMO | table _time host, collection, counter, Value | sort 0 _time 
| dedup host, collection, counter, Value | streamstats current=f window=1 values(_time) as prev_time values(Value) as prev_value
| where isnotnull(prev_value) | eventstats max(prev_value) as max | where prev_value=max 
| eval duration=_time-prev_time | table host, collection, counter , prev_value , duration | rename prev_value as Peak_Value

rwiley
Explorer

thank you. this looks like what i needed.

0 Karma

bhanue
New Member

Hi All,
I am very new to Splunk.

My organisation uses Splunk for all infra monitoring, I am trying to get the "Peak CPU average" (or) the highest CPU hit per instance in last 24 hours of all my Azure VM's.

I am able to get average average using bellow query, but I need peak average - Can you please help.

host=AZR* index="perfmon" source="Perfmon:CPU" counter="% Processor Time" | stats avg(Value) as avgcpu by host

host=AZR* index="perfmon" source="Perfmon:Memory" counter="% Committed Bytes In Use" | stats avg(Value) as AvgMemory by host

0 Karma

minglani
New Member

This is really good script, I am stuggling to get this working, for CPU load % was to stay over 50% for 2 mins or more.

0 Karma

suarezry
Builder

show us a sample of the events in splunk and what your desired results should be

0 Karma

rwiley
Explorer

sourcetype="Perfmon:CPU Load" host=LOG01DLMNMO | table host, collection, counter, Value

host | collection | counter | Value
server |CPU Load | %Processor Time | 0.1346..

would like to see
host | collection | counter |peak value | duration of peak value

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...