Forum Discussion
Solved
Group similar Process name in LogsAnalytics
Hi, I am looking for a query where I can get % Process CPU for specific Process. My main concern is that I would like to group some of them.
For instance:
"ZSAService", "ZSATunnel" and "ZSATray" sould all been group under ZScaler
My current query :
Perf
| where Computer contains "sl2"
| where ObjectName == "Process" and CounterName == "% Processor Time"
| where (InstanceName contains "Sysmon" or InstanceName contains "CSFalconSer" or InstanceName contains "ZSA" )
| summarize avg(CounterValue) by InstanceName, bin(TimeGenerated, 1d)
| render timechart title = "% CPU SECURITE"and the current result:
If you wanted two groups (ZSA and non-ZSA) that would be:
Perf | where Computer contains "sl2" | where ObjectName == "Process" and CounterName == "% Processor Time" | where (InstanceName contains "Sysmon" or InstanceName contains "CSFalconSer" or InstanceName contains "ZSA" ) | summarize Zscaler = avgif(CounterValue, InstanceName startswith "ZSA") ,theOthers = avgif(CounterValue, InstanceName !startswith "ZSA") by bin(TimeGenerated, 1d) | render timechartI'll need to think more about this, unless anyone else has an idea?
Thanks
2 Replies
If you wanted two groups (ZSA and non-ZSA) that would be:
Perf | where Computer contains "sl2" | where ObjectName == "Process" and CounterName == "% Processor Time" | where (InstanceName contains "Sysmon" or InstanceName contains "CSFalconSer" or InstanceName contains "ZSA" ) | summarize Zscaler = avgif(CounterValue, InstanceName startswith "ZSA") ,theOthers = avgif(CounterValue, InstanceName !startswith "ZSA") by bin(TimeGenerated, 1d) | render timechartI'll need to think more about this, unless anyone else has an idea?
Thanks
