Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit Windows performance search to calculate average CPU time and generate a table that displays processes consuming greater than 50% CPU?

vikas_gopal
Builder
‎12-26-2016 04:07 AM

Hi Experts,

I know that we have Splunk App for Windows Infrastructure but I am not using this app. For CPU and Processes, I am using following in wmi.conf:

CPU
[WMI:CPUTime]
interval = 03
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
index = abc
disabled = 0

Result
PercentProcessorTime=10
PercentUserTime=4
wmi_type=CPUTime

Question :- Am I calculating correctly the avg CPU time over time?

index=abc source="WMI:CPUTime" |eval overallCPU=PercentProcessorTime+PercentUserTime| timechart avg(overallCPU) AS CPU_Utilization

Processes
[WMI:LocalProcesses]
interval = 30
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
index = abc
disabled = 0

Question :- I want to show a table that contains host name, Process name, and CPU_utilization and this table only shows those processes which are consuming more that 50% CPU. Please help me to create this search. The problem I am facing is when creating a sub search, so idea is to get CPU>=50 and corresponding processes.

Regards
VG

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎12-26-2016 05:23 AM

For the value of total processor utilization systemwide, use the Processor(_Total)\% Processor Time counter.

https://technet.microsoft.com/en-us/library/cc938593.aspx

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎12-26-2016 05:23 AM

For the value of total processor utilization systemwide, use the Processor(_Total)\% Processor Time counter.

https://technet.microsoft.com/en-us/library/cc938593.aspx

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-26-2016 05:26 AM

For second question just add this to your search

| where PercentProcessorTime>=50

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-26-2016 05:24 AM

In other words don't combine percent processor time with percent user time. Just use percent processor time.

0 Karma
Reply
Solved! Jump to solution

vikas_gopal
Builder
‎12-26-2016 05:57 AM

I get it thanks man you are awesome.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...