cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Group similar Process name in LogsAnalytics

SebasL
Copper Contributor

‎Feb 12 2020 11:52 PM - last edited on ‎Apr 08 2022 10:18 AM by

‎Feb 12 2020 11:52 PM - last edited on ‎Apr 08 2022 10:18 AM by

Group similar Process name in LogsAnalytics

Hi, I am looking for a query where I can get % Process CPU for specific Process. My main concern is that I would like to group some of them.

For instance:

"ZSAService", "ZSATunnel" and "ZSATray" sould all been group under ZScaler

 

My current query :

Perf
| where Computer contains "sl2"
| where ObjectName == "Process" and CounterName == "% Processor Time"
| where (InstanceName contains "Sysmon" or  InstanceName contains "CSFalconSer"  or  InstanceName contains "ZSA" )
| summarize avg(CounterValue) by InstanceName, bin(TimeGenerated, 1d)
| render timechart title = "% CPU SECURITE"

 and the current result:

2020-02-13_02-49-18.gif

Labels:
1,321 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by SebasL (Copper Contributor)
CliveWatson

‎Feb 13 2020 12:33 PM - edited ‎Feb 13 2020 12:53 PM

‎Feb 13 2020 12:33 PM - edited ‎Feb 13 2020 12:53 PM

Solution

Re: Group similar Process name in LogsAnalytics

@SebasL 

 

If you wanted two groups (ZSA and non-ZSA) that would be:

 

 

Perf
| where Computer contains "sl2"
| where ObjectName == "Process" and CounterName == "% Processor Time"
| where (InstanceName contains "Sysmon" or  InstanceName contains "CSFalconSer"  or  InstanceName contains "ZSA" )
| summarize Zscaler    = avgif(CounterValue, InstanceName startswith  "ZSA")
            ,theOthers = avgif(CounterValue, InstanceName !startswith "ZSA")
         by  bin(TimeGenerated, 1d)
| render timechart

 

I'll need to think more about this, unless anyone else has an idea?

 

Thanks 

 

0 Likes
Reply
SebasL

‎Feb 14 2020 04:06 AM

‎Feb 14 2020 04:06 AM

Re: Group similar Process name in LogsAnalytics

@CliveWatson 

 

Many thanks, that's do it! :smile:

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by SebasL (Copper Contributor)
CliveWatson

‎Feb 13 2020 12:33 PM - edited ‎Feb 13 2020 12:53 PM

‎Feb 13 2020 12:33 PM - edited ‎Feb 13 2020 12:53 PM

Solution

Re: Group similar Process name in LogsAnalytics

@SebasL 

 

If you wanted two groups (ZSA and non-ZSA) that would be:

 

 

Perf
| where Computer contains "sl2"
| where ObjectName == "Process" and CounterName == "% Processor Time"
| where (InstanceName contains "Sysmon" or  InstanceName contains "CSFalconSer"  or  InstanceName contains "ZSA" )
| summarize Zscaler    = avgif(CounterValue, InstanceName startswith  "ZSA")
            ,theOthers = avgif(CounterValue, InstanceName !startswith "ZSA")
         by  bin(TimeGenerated, 1d)
| render timechart

 

I'll need to think more about this, unless anyone else has an idea?

 

Thanks 

 

View solution in original post

0 Likes
Reply