I want to create an alert when the cpu is at 50% or higher for greater than 5 mins.
I thought this would work, but it is not:
host=myhost sourcetype="PerfmonMk:Process" instance=java "%_Processor_Time">50
| bucket _time span=5m
| stats avg("%_Processor_Time") as CPU by _time
| where CPU>50
Thoughts?
I don't think you need the proccessor time filter in your base search. Let your stats worry about the calculation.
for similar requests, we've typically used min(). If the minimum over a period is greater than your threshold, then it was above your threshold the whole time. The avg() could be above the threshold even if it's dipping/spiking over that period.