I have a saved search that goes like this:
index=os sourcetype=cpu host=* | multikv fields pctIdle | eval Percent_CPU_Load = 100 - pctIdle | search host="birdhouse" | where Percent_CPU_Load > 80
My intent was to receive an alert if the overall CPU load of the server is over 80%. However, it seems this string will trigger if any single core is over 80%, since it is reading mpstat data and seems to trigger for each line if result is over 80. Leaving aside for the moment that cpu.sh cuts off Core #0, is there a way I can trigger on the average of all the cores?
Thanks,
DL
Did this work for you ?
I tried the same but do not see any results
index=os sourcetype=cpu host=birdhouse | multikv fields pctIdle | eval Percent_CPU_Load = 100 - pctIdle | stats avg(Percent_CPU_Load) as Percent_CPU_Load by host | where Percent_CPU_Load > 80