Skip to main content
Splunk Lantern

CPU utilization of Elastic Compute Cloud (EC2) instances


EC2 instances with consistently low CPU utilization (overprovisioned) might contribute to excessive or wasted cloud spend. EC2 instances with consistently high CPU utilization (underprovisioned) might experience performance issues associated with CPU resource constraints. You need to be able to easily identify these instances so you can decide what to do with them.

Data required

AWS: Cloudwatch data


  1. Configure the Splunk Add-on for Amazon WebServices.
  2. Ensure that your deployment is ingesting AWS data through one of the following methods:
    1. Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work.
    2. Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
  3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
    index="<AWS index name>" sourcetype="aws:cloudwatch" metric_dimensions="InstanceId=*" metric_name=CPUUtilization
    | stats sparkline(avg(Average),5m) AS cpu_trend avg(Average) AS avg_cpu perc99(Average) AS p99_cpu BY metric_dimensions
    | sort p99_cpu

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index="<AWS index name>" sourcetype="aws:cloudwatch" Search the indexes where AWS data is stored filtered to just the AWS Cloudwatch Logs source type.
metric_dimensions="InstanceId=*" metric_name=CPUUtilization Search for the CPU utilization metric.
| stats sparkline(avg(Average),5m) AS cpu_trend avg(Average) AS avg_cpu perc99(Average) AS p99_cpu BY metric_dimensions

Identify average and max CPU utilization per instance, and add the sparkline function to visualize the CPU trend over time.

To identify underprovisioned instances, add the following line of SPL to this search next: | where avg_cpu > 50 and p99_cpu > 95

| sort p99_cpu Sort by instances with the lowest CPU utilization first.

Next steps

For overprovisioned EC2 instances, use the results from your search to make decisions about resizing and optimizing your cloud environment so you can reduce cost. For underprovisioned EC2 instances, use the results to decide which instances might be candidates for upsizing to ensure workloads run smoothly and without limitations.

You might also want to look at other searches in Managing an Amazon Web Services environment.