Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Look up CPU data from another search

tmontney
Builder
‎12-26-2017 10:45 AM

Edit: Now thinking about it, I probably could combine the two queries, in wmi.conf, into one. However, let's assume that isn't possible for sake of learning.

Edit2: You'd think the following search would work but it errors out: | eval NumCores=[ search index=perfmon sourcetype="WMI:processinfo" host="MYHOST" | return $NumberOfCores ]

I have two searches that need to be combined:

index=perfmon sourcetype="WMI:process" earliest=-3m Name!=_Total Name!=Idle | reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name | eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS) | search cputime > 0 AND cputime < 400 |  timechart span=3 avg(cputime) by Name

index=perfmon sourcetype="WMI:processinfo" 
| dedup host
| table host NumberOfCores

The idea is I want to be able to lookup CPU usage for each PC. Problem is I can only see overall usage, not per process. The first search allows me to do that; however, it depends on knowing the total CPU cores for that machine. If I want to put it in a dashboard (or automate it in any way), I need to be able to search it.

This is my wmi.conf on the server (for the app deployed to my forwarders).

[WMI:process]
index = perfmon
disabled = 0
interval = 450
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process

[WMI:processinfo]
index = perfmon
disabled = 0
interval = 86400
wql = SELECT * FROM Win32_Processor

Basically, I want to match the hostname from sourcetype WMI:process in the sourcetype WMI:processinfo, which looks for NumberOfCores. WMI:processinfo is only updated daily (may be even less than that) as it's mostly static info. I've tried things like append/subsearch/transaction/coalesce, but I don't think I'm using them properly. In my mind, it would work if NumberOfCores was inserted in each event where its hostname matched (aka if I could've combined both queries in my wmi.conf).

0 Karma
Reply

somesoni2
Revered Legend
‎12-27-2017 11:01 AM

Give this a try

index=perfmon sourcetype="WMI:process" earliest=-3m Name!=_Total Name!=Idle 
| sort 0 host _time 
| streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by host Name 
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS) 
| search cputime > 0 AND cputime < 400 
| bucket span=3 _time | stats avg(cputime) by _time host Name
| join host [search index=perfmon sourcetype="WMI:processinfo" earliest=-24h 
| stats latest(NumberOfCores) as NumberOfCores by host]
|  timechart span=3 avg(cputime) by Name
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...