cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

create a search query for the Average of CPU over 15 mins .. and set alert to it

Ahmed Atef
Brass Contributor

‎Feb 20 2018 05:05 AM - last edited on ‎Apr 07 2022 04:54 PM by

‎Feb 20 2018 05:05 AM - last edited on ‎Apr 07 2022 04:54 PM by

create a search query for the Average of CPU over 15 mins .. and set alert to it

Hi all 

 

I am trying to create some monitoring based on OMS Queries one of the them is creating an alert if the average CPU Utilization over 15 mins was more than 90% .. 

 

when i use this query what i think it is doing is getting all the entries that are more than 90 and get the average of them, but what i want is to get all the measures and based on the average of them if its more than 90 return results so i can create alerts based on that. 

 

keep in consideration im using the OMS search query not the advanced analytics. 

 

Perf
| where TimeGenerated > ago(15m)
| where ( ObjectName == "Processor Information" ) and CounterName == "% Processor Time" and InstanceName == "_Total"
| where CounterValue > 90
| summarize avg(CounterValue) by Computer
| render table

 

help appreciated :) 

 

Thanks

Ahmed

28.2K Views
0 Likes
7 Replies
Reply
7 Replies
best response confirmed by Ahmed Atef (Brass Contributor)
Stanislav Zhelyazkov

‎Feb 20 2018 11:00 PM

‎Feb 20 2018 11:00 PM

Solution

Re: create a search query for the Average of CPU over 15 mins .. and set alert to it

Hi

Yes with this query you are getting the results for all results that are above 90 which is not the thing you want to achieve.

 

The correct way to get the computers with above 90 % is this:

Perf
| where TimeGenerated > ago(15m) 
| where ( ObjectName == "Processor Information" ) and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer
| where AggregatedValue > 90
| render table

Because you will be using this in alert there are a few things you want to change.

First you will remove the filter on TimeGenerated. When creating alert you can specify the period (time frame) of the alert. There you will specify 15 mins. Second you do not need to filter on Aggregated Value from alerts by choosing this to be metric alert there you can configure the threshold. You also do not need render as alerts do not use it. At last you will have to add bin() function that will match the period (time frame) in your case 15 mins. The end result is this query that you can use to create alert:

Perf
| where  ObjectName == "Processor Information" and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 15m)
2 Likes
Reply
Ahmed Atef

‎Feb 20 2018 11:44 PM

‎Feb 20 2018 11:44 PM

Re: create a search query for the Average of CPU over 15 mins .. and set alert to it

Thanks alot for your response and clarification
0 Likes
Reply
Nikolaj Pedersen

‎Jul 11 2018 06:03 AM

‎Jul 11 2018 06:03 AM

Re: create a search query for the Average of CPU over 15 mins .. and set alert to it

Hi,
I need the exact same query, for for visualization, not for alerting.
I cannot figure out how to only add it to the result table/visualization if the average CPU Utilization over 15 mins was more than 90%. What's the best way to do this?
Regards,
Nikolaj
@Stanislav Zhelyazkov

0 Likes
Reply
Stanislav Zhelyazkov

‎Jul 12 2018 08:15 AM

‎Jul 12 2018 08:15 AM

Re: create a search query for the Average of CPU over 15 mins .. and set alert to it

Hi,

I am not quite sure what you want to achieve. If I understand correctly may be this:

Perf
| where  ObjectName == "Processor Information" and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 15m)
| where AggregatedValue > 90
| render table

You can also render timechart but the visualization will not be pretty as it will show only periods where the machines were above 90. Because such visualization is not pretty I am not sure if this is thing you want to achieve.

0 Likes
Reply
RCDevops777

‎Mar 07 2019 07:08 AM

‎Mar 07 2019 07:08 AM

Re: create a search query for the Average of CPU over 15 mins .. and set alert to it

Hi Stanislav, 

 

We are using the ObjectName == "Processor" for this query, hope it is the same ?

 

Perf
| where  ObjectName == "Processor Information" and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 15m)
| where AggregatedValue > 90
| render table

 

0 Likes
Reply
Stanislav Zhelyazkov

‎Mar 07 2019 10:26 PM

‎Mar 07 2019 10:26 PM

Re: create a search query for the Average of CPU over 15 mins .. and set alert to it

Which counters you will use depends on your requirements otherwise the query is general enough to be modified to work with other counters.

0 Likes
Reply
david1718

‎Mar 21 2022 06:05 AM - edited ‎Mar 21 2022 06:06 AM

‎Mar 21 2022 06:05 AM - edited ‎Mar 21 2022 06:06 AM

Re: create a search query for the Average of CPU over 15 mins .. and set alert to it

@Stanislav Zhelyazkov 

 

Hi,

 

I'm trying to get the CPU usage from every process on my vm is that posible with log analytics? I can't seem to get it.

This is what I have until now.
Perf
| where TimeGenerated > now(-30m)
and ObjectName == "Process"
and CounterName == "% Processor Time"
and InstanceName != "_Total"
and InstanceName != "Idle"
and CounterValue > 5
| project Computer, ObjectName, CounterName, InstanceName, CounterValue, TimeGenerated

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Ahmed Atef (Brass Contributor)
Stanislav Zhelyazkov

‎Feb 20 2018 11:00 PM

‎Feb 20 2018 11:00 PM

Solution

Re: create a search query for the Average of CPU over 15 mins .. and set alert to it

Hi

Yes with this query you are getting the results for all results that are above 90 which is not the thing you want to achieve.

 

The correct way to get the computers with above 90 % is this:

Perf
| where TimeGenerated > ago(15m) 
| where ( ObjectName == "Processor Information" ) and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer
| where AggregatedValue > 90
| render table

Because you will be using this in alert there are a few things you want to change.

First you will remove the filter on TimeGenerated. When creating alert you can specify the period (time frame) of the alert. There you will specify 15 mins. Second you do not need to filter on Aggregated Value from alerts by choosing this to be metric alert there you can configure the threshold. You also do not need render as alerts do not use it. At last you will have to add bin() function that will match the period (time frame) in your case 15 mins. The end result is this query that you can use to create alert:

Perf
| where  ObjectName == "Processor Information" and CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 15m)

View solution in original post

2 Likes
Reply