Skip to main content
 
Splunk Lantern

Windows CPU utilization nearing capacity

 

Excessive CPU utilization on a host, particularly abnormal or prolonged, is a sign of potential issues with the critical applications running on the host. You want to detect when an application is starved for CPU resources so you can prevent performance degradations or application instability. 

Data required

Procedure

  1. In Splunk Enterprise or Splunk Cloud Platform, verify that you deployed the Splunk Add-on for Microsoft Windows add-on to your search heads, indexer, and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| mstats min(Processor.%_Idle_Time) AS "processor_idle_time" WHERE index="<name of Windows metrics index>"  host="<name of host to check>" (instance="_Total" AND object="Processor") BY host span=30s
| eval processor_active_time=100-processor_idle_time
| timechart span=1m max(processor_active_time) AS processor_active_time BY host

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| mstats min(Processor.%_Idle_Time) AS "processor_idle_time" WHERE index="<name of Windows metrics index>"  host="<name of host to check>" (instance="_Total" AND object="Processor") BY host span=30s Search metrics index(s) where CPU utilization data is being collected and filter down to the desired host(s).
| eval processor_active_time=100-processor_idle_time Convert processor idle time to processor active time for readability.
| timechart span=1m max(processor_active_time) AS processor_active_time BY host Plot the CPU utilization for each host over time.

Next steps

Set up an alert based on this search so you can proactively manage potential stability issues. 

To alert when a CPU utilization is nearing max capacity, you can configure one of the following two recommendations:

  • Use the SPL from this procedure to configure a Core Splunk alert.
  • Configure the Average CPU Usage vital metric for the Windows entity type in IT Essentials Work to alert when the CPU Utilization percentage is at or near 100.

Finally, you might be interested in other processes associated with the Maintaining Microsoft Windows systems use case.