Re: show top 5 CPU Usage vom VMware Hosts

pduvofmr · ‎10-11-2019

Hi Splunkies,

this is my search:
index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*"
| join hypervisor_id [search index="vmware-inv" sourcetype="vmware:inv:hostsystem"]
| timechart avg(cpu_load_percent) by hypervisor_name

my Problem:
This search will list all hosts.
But, i would like to have an evaluation of the top 5 hosts.
The idea was to calculate the sum of average values from one host over a period of time.
Then i compare this result with the other hosts and could sort a top 5 list...

Does anyone have an idea how to modify the search?

Prewin027 · ‎10-13-2019

Hi,

You can use below search.

index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*"
| join hypervisor_id [search index="vmware-inv" sourcetype="vmware:inv:hostsystem"]
| timechart avg(cpu_load_percent) by hypervisor_name

modify the same to

index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*"
| join hypervisor_id [search index="vmware-inv" sourcetype="vmware:inv:hostsystem"]
| timechart usenull=f useother=f avg(cpu_load_percent) by hypervisor_name where avg in top5

pduvofmr · ‎10-14-2019

Hi,

works, but it dont sort the host list vom maximum to minimum load.
Can you helm me again?

thx

woodcock · ‎10-13-2019

Never use join; try this:

(index="vmware-perf" sourcetype="vmware:perf:cpu" hypervisor_id="*") OR
(index="vmware-inv" sourcetype="vmware:inv:hostsystem")
| eventstats values(hypervisor_name) AS hypervisor_name BY hypervisor_id
| timechart avg(cpu_load_percent) AS avg_cpu_load_pct BY hypervisor_name
| untable _time hypervisor_name avg_cpu_load_pct
| eventstats sum(avg_cpu_load_pct) AS sum_for_top5 BY hypervisor_name
| sort 0 - sum_for_top5 hypervisor_name
| streamstats current=f last(hypervisor_name) AS next_hypervisor_name
| streamstats count(eval(hypervisor_name!=next_hypervisor_name)) AS count
| where count<5
| timechart limit=0 useother=f avg(avg_cpu_load_pct) AS avg_cpu_load_pct BY hypervisor_name

pduvofmr · ‎10-14-2019

Quote: Never use join

Why, please explain - thx

woodcock · ‎10-14-2019

Just Google it. This has been widely opined. It does not scale.

pduvofmr · ‎10-14-2019

the problem is that the graph shows zero until the evaluation is complete. (10-30 seconds)

With join the graph builds up ...

woodcock · ‎10-14-2019

But it will be lacking events and showing incorrect results.

pduvofmr · ‎10-14-2019

Hi,

ther is no list of hosts...

woodcock · ‎10-14-2019

I assumed that hypervisor_name was your "host" field. Are there multiple hosts per hypervisor or multiple hypervisor per host? Answer that and I will try again.

pduvofmr · ‎10-14-2019

host = ESX Server
supervisor = ???

actualy the top5 ESX server where sorted alphabetically, not by load

woodcock · ‎10-14-2019

Stupid autocorrect. I should have said "hypervisor", not "supervisor".

pduvofmr · ‎10-14-2019

Correction:

there is a host list, was a performance problem, sorry, dev center 😉
Now, how to sort hosts to display from maximum to minimum load?

thx

show top 5 CPU Usage vom VMware Hosts

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases