Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting "top 3" (Windows) processes, sorted by CPU usage, when CPU usage goes over xx%

so_edv1
New Member
‎03-08-2019 12:51 AM

Hello everyone,

Pretty new to Splunk and, to be honest, I'm going under in work so I don't have time to work myself in a lot 😕 and so I hoped someone could help me with something, I somehow couldn't find some solution for..

We. I. want to monitor our VDA Servers and get informed / an e-mail once the CPU usage goes over a certain amount. Let's say 70%.

This shouldn't happen. But of course sometimes it does. And we want to know through which process.

So we basically want to get a short e-mail.

"Hey. CPU load on X is over the limit.

Here are the top 3 processes, sorted by CPU load produced:

  • MS Teams - 30%
  • Chrome - 25%
  • Outlook 20%

"

Is there a pre-made solution someone knows? Or a powershell script?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2019 06:00 AM

First, you must have performance data from your VDA servers indexed in Splunk. You can use a universal forwarder to send perfmon:CPU events to do that.

[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
interval = 60
disabled = 0

Once you have the data, it's easy to craft a search that runs every few minutes to look for servers with high CPU utilization. 

index=windows | stats sum('% Processor Time') as PctCPU | where PctCPU > 70

See https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/MonitorWindowsperformance for details.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2019 06:00 AM

First, you must have performance data from your VDA servers indexed in Splunk. You can use a universal forwarder to send perfmon:CPU events to do that.

[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
interval = 60
disabled = 0

Once you have the data, it's easy to craft a search that runs every few minutes to look for servers with high CPU utilization. 

index=windows | stats sum('% Processor Time') as PctCPU | where PctCPU > 70

See https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/MonitorWindowsperformance for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

so_edv1
New Member
‎03-10-2019 11:51 PM

Sorry for the late reply, hope everyone had a nice weekend 🙂

Going to try this out.

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...