Splunk Search

Look up CPU data from another search

tmontney
Builder

Edit: Now thinking about it, I probably could combine the two queries, in wmi.conf, into one. However, let's assume that isn't possible for sake of learning.

Edit2: You'd think the following search would work but it errors out: | eval NumCores=[ search index=perfmon sourcetype="WMI:processinfo" host="MYHOST" | return $NumberOfCores ]

I have two searches that need to be combined:

index=perfmon sourcetype="WMI:process" earliest=-3m Name!=_Total Name!=Idle | reverse | streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by Name | eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS) | search cputime > 0 AND cputime < 400 |  timechart span=3 avg(cputime) by Name

index=perfmon sourcetype="WMI:processinfo" 
| dedup host
| table host NumberOfCores

The idea is I want to be able to lookup CPU usage for each PC. Problem is I can only see overall usage, not per process. The first search allows me to do that; however, it depends on knowing the total CPU cores for that machine. If I want to put it in a dashboard (or automate it in any way), I need to be able to search it.

This is my wmi.conf on the server (for the app deployed to my forwarders).

[WMI:process]
index = perfmon
disabled = 0
interval = 450
wql = Select IDProcess,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process

[WMI:processinfo]
index = perfmon
disabled = 0
interval = 86400
wql = SELECT * FROM Win32_Processor

Basically, I want to match the hostname from sourcetype WMI:process in the sourcetype WMI:processinfo, which looks for NumberOfCores. WMI:processinfo is only updated daily (may be even less than that) as it's mostly static info. I've tried things like append/subsearch/transaction/coalesce, but I don't think I'm using them properly. In my mind, it would work if NumberOfCores was inserted in each event where its hostname matched (aka if I could've combined both queries in my wmi.conf).

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=perfmon sourcetype="WMI:process" earliest=-3m Name!=_Total Name!=Idle 
| sort 0 host _time 
| streamstats current=f last(PercentProcessorTime) as last_PercentProcessorTime last(Timestamp_Sys100NS) as last_Timestamp_Sys100NS by host Name 
| eval cputime = 100 * (PercentProcessorTime - last_PercentProcessorTime) / (Timestamp_Sys100NS - last_Timestamp_Sys100NS) 
| search cputime > 0 AND cputime < 400 
| bucket span=3 _time | stats avg(cputime) by _time host Name
| join host [search index=perfmon sourcetype="WMI:processinfo" earliest=-24h 
| stats latest(NumberOfCores) as NumberOfCores by host]
|  timechart span=3 avg(cputime) by Name
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...