Forum Discussion

Ahmed Atef's avatar
Ahmed Atef
Brass Contributor
Feb 20, 2018
Solved

create a search query for the Average of CPU over 15 mins .. and set alert to it

Hi all    I am trying to create some monitoring based on OMS Queries one of the them is creating an alert if the average CPU Utilization over 15 mins was more than 90% ..    when i use this q...
Azure Log Analytics
azure monitor
  • Stanislav_Zhelyazkov's avatar
    Stanislav_Zhelyazkov
    Feb 21, 2018

    Hi

    Yes with this query you are getting the results for all results that are above 90 which is not the thing you want to achieve.

     

    The correct way to get the computers with above 90 % is this:

    Perf
| where TimeGenerated > ago(15m) 
| where ( ObjectName == "Processor Information" ) and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer
| where AggregatedValue > 90
| render table

    Because you will be using this in alert there are a few things you want to change.

    First you will remove the filter on TimeGenerated. When creating alert you can specify the period (time frame) of the alert. There you will specify 15 mins. Second you do not need to filter on Aggregated Value from alerts by choosing this to be metric alert there you can configure the threshold. You also do not need render as alerts do not use it. At last you will have to add bin() function that will match the period (time frame) in your case 15 mins. The end result is this query that you can use to create alert:

    Perf
| where  ObjectName == "Processor Information" and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 15m)
Stanislav_Zhelyazkov's avatar
Stanislav_Zhelyazkov
MVP
Jul 12, 2018

Hi,

I am not quite sure what you want to achieve. If I understand correctly may be this:

Perf
| where  ObjectName == "Processor Information" and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 15m)
| where AggregatedValue > 90
| render table

You can also render timechart but the visualization will not be pretty as it will show only periods where the machines were above 90. Because such visualization is not pretty I am not sure if this is thing you want to achieve.

RCDevops777's avatar
RCDevops777
Copper Contributor
Mar 07, 2019

Hi Stanislav, 

 

We are using the ObjectName == "Processor" for this query, hope it is the same ?

 

Perf
| where  ObjectName == "Processor Information" and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 15m)
| where AggregatedValue > 90
| render table

 

  • Stanislav_Zhelyazkov's avatar
    Stanislav_Zhelyazkov
    MVP
    Mar 08, 2019

    Which counters you will use depends on your requirements otherwise the query is general enough to be modified to work with other counters.

Resources