Monitoring Splunk

help for monitoring a CPU abnormally charge following lasting conditions

jip31
Motivator

hi

I use the search below in order to monitore the processes which use more than 80% of CPU

index="TUTU" sourcetype="perfmonmk:process" 
| where process_cpu_used_percent>80 

But I want to monitore only the processes > 80% of CPU which last at least one minutes or more and to display it in a timechart
could you help me please??
thanks

Labels (1)
1 Solution

DavidHourani
Super Champion

Hi @jip31,

Nice index name ^^

This query is correct :

index="TUTU" sourcetype="perfmonmk:process" 
| timechart span=1m avg(process_cpu_used_percent) as process_cpu_used_percent by host where process_cpu_used_percent>80 limit=10

If you want to use bucket you can use it like this :

 index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time | head 10

Cheers,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi @jip31,

Nice index name ^^

This query is correct :

index="TUTU" sourcetype="perfmonmk:process" 
| timechart span=1m avg(process_cpu_used_percent) as process_cpu_used_percent by host where process_cpu_used_percent>80 limit=10

If you want to use bucket you can use it like this :

 index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time | head 10

Cheers,
David

0 Karma

jip31
Motivator

hi david

when I add bin _time J have the message : the specifier bin_time is invalid. It must be in form (). For example : max(size)
and I want to display ten events (host) in my timechart but only the last 10 events (host)
with head 10 i have ten events but not the last.....

0 Karma

DavidHourani
Super Champion

ohhhh, sorry! hahah it's actually bucket 😄

 index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time | head 10

as for the last 10 you can use reverse :

index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time|reverse | head 10
0 Karma

jip31
Motivator

thanks david
last question
my final search is :

index="tutu" sourcetype="perfmonmk:process" 
| where process_cpu_used_percent>80 
| bucket _time span=1m 
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time 
| eval process_cpu_used_percent =round(process_cpu_used_percent, 1)." %" 
| table _time host process_cpu_used_percent 
| dedup host 
| reverse 
| head 10

do you think its correct??

0 Karma

DavidHourani
Super Champion

Looks good !

But I think you want to use your 80% filter after the stats that way it gets applied on the average, this should do :

 index="tutu" sourcetype="perfmonmk:process" 
 | bucket _time span=1m 
 | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time 
 | where process_cpu_used_percent>80 
 | eval process_cpu_used_percent =round(process_cpu_used_percent, 1)." %" 
 | dedup host 
 | reverse 
 | head 10
0 Karma

DavidHourani
Super Champion

please upvote comments and accept answer if it was helpful ❤️

0 Karma

deepashri_123
Motivator

Hey@jip31,

Can you try using avg(process_cpu_used_percent) and use bin _time span=1m and then try using where.
Let me know if this helps!!

0 Karma

jip31
Motivator

hi
thanks
i have done this but i dont understand how to use bin_time?
I would also like to have only the last 10 events
index="test" sourcetype="perfmonmk:process"
| timechart span=1m avg(process_cpu_used_percent) as process_cpu_used_percent by host where process_cpu_used_percent>80 limit=10
could you help me pelase??

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...