Help with query, transactions and percentage. Need...

Rialf1959 · ‎08-08-2017

Hello, I need help with this query. Cpu_percent field return values in percentage, so it might be a problem.
Basically i need to find all containers where cpu_percent usage is above 50% during 5mins and print some fields. I need it for realtime alerting. I am using ta-dockerstats addon.
This is my first query 😞

My example:

index=main source="docker_stats" host=* |stats last(cpu_percent) as CPU by container_id |where CPU> 30 | transaction host, container_id, CPU > 30 maxpause=5m | where duration>300 | fields _time, duration, host, CPU, container_id

Thanks

woodcock · ‎08-08-2017

DO NOT use realtime for this. Not only will it not work properly, but it kills your performance.

cmerriman · ‎08-08-2017

Alright, so from what i can see, it looks like you're filtering out the cpu_percent that's greater than 30% by container_id and then running a transaction where the events are 5 minutes apart and also only last 5 minutes.

Is this an alert running every 5 minutes? if so, try something like this:

index=main source="docker_stats" host=* earliest=-5m|stats last(cpu_percent) as CPU by container_id |search CPU>50| fields _time, host, CPU, container_id

if you need it ran for a longer duration of time:

index=main source="docker_stats" host=*|eventstats last(cpu_percent) as CPU by container_id| transaction host, container_id maxspan=5m maxpause=5m|search CPU>50 | fields _time, duration, host, CPU, container_id

Help with query, transactions and percentage. Need it for Alerting.

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor