SOLVED

Help understanding Processor counters

%3CLINGO-SUB%20id%3D%22lingo-sub-1760370%22%20slang%3D%22en-US%22%3EHelp%20understanding%20Processor%20counters%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1760370%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3EI'm%20trying%20to%20create%20a%20good%20query%20for%20Log%20Analytics%20to%20measure%20CPU%20average%20usage%20and%20peaks%20in%20order%20to%20determine%20whether%20the%20VM%20is%20under%2Fover%20utilized.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20a%20long%20time%20I've%20been%20using%20this%20query%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powerquery%22%3E%3CCODE%3EPerf%0A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7C%0A%26nbsp%3Bwhere%26nbsp%3BCounterName%26nbsp%3B%3D%3D%26nbsp%3B%22%25%26nbsp%3BProcessor%26nbsp%3BTime%22%26nbsp%3Band%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%26nbsp%3Bago(30d)%0A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7C%0A%26nbsp%3Bsummarize%26nbsp%3BavgCPU%26nbsp%3B%3D%26nbsp%3Bavg(CounterValue)%26nbsp%3Bby%26nbsp%3BComputer%0A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7C%0A%26nbsp%3Bwhere%26nbsp%3BavgCPU%26nbsp%3B%26lt%3B%26nbsp%3B30)%26nbsp%3Bon%26nbsp%3BComputer%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I%20started%20researching%20a%20bit%20more%20so%20I%20could%20add%20peaks%20and%20that%20messed%20things%20up%20quite%20a%20bit.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20of%20all%2C%20I%20discovered%20that%2C%20if%20I%20added%20%22Processor%22%20as%20a%20filter%20for%20%22ObjectName%22%2C%20the%20average%20would%20greatly%20variate%20from%20the%20result%20given%20without%20that%20filter.%3C%2FP%3E%3CP%3EOn%20closer%20inspection%20I%20noticed%20that%20processor%20would%20bring%20up%20only%20the%20Instance%20named%20%22_total%22%2C%20but%20without%20that%20filter%2C%20the%20query%20would%20return%20all%20processes%2C%20including%20_total%20and%20_idle%3CBR%20%2F%3ESo%2C%20which%20one%20would%20be%20more%20accurate%20to%20determine%20the%20average%20utilization%20of%20the%20CPU%20of%20a%20VM%2C%20for%20all%20the%20cores%20at%20any%20given%20time%3F%3CBR%20%2F%3EAnd%2C%20also%2C%20if%20the%20answer%20is%20not%20using%20the%20Processor%20ObjectName%20as%20a%20filter%2C%20why%20is%20it%20returning%20the%20_Idle%20and%20_total%20processes%20as%20well%3F%20Isn't%20this%20bad%20for%20calculating%20the%20average%3F%3F%20Shouldn't%20I%20exclude%20this%20two%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20second%20issue%20arised%20when%20I%20included%20the%20max%20value%20for%20the%20counter%2C%20trying%20to%20get%20peaks%20of%20CPU.%3CBR%20%2F%3ESo%2C%20when%20using%20this%20query%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powerquery%22%3E%3CCODE%3EPerf%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7C%0A%20where%20CounterName%20%3D%3D%20%22%25%20Processor%20Time%22%20and%20TimeGenerated%20%26gt%3B%20ago(1d)%0A%20%20%20%20%20%20%20%20%7C%0A%20summarize%20avgCPU%20%3D%20avg(CounterValue)%2C%20maxCPU%20%3D%20max(CounterValue)%20by%20Computer%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7C%0A%20where%20avgCPU%20%26lt%3B%2030)%20on%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20got%20values%20that%20were%20way%20over%20100...%20and%20since%20this%20should%20be%20a%20measure%20of%20total%20CPU%20based%20on%20a%20100%25%20utilization%2C%20I%20think%20this%20is%20wrong%2C%20but%20I'm%20not%20sure%20why.%3CBR%20%2F%3EFor%20some%20VMs%20I%20get%201000%20or%20450%20values%2C%20which%20makes%20no%20sense.%3CBR%20%2F%3ECan%20you%20help%20me%20understand%20why%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20in%20advance.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1760370%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMetrics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1771394%22%20slang%3D%22en-US%22%3ERe%3A%20Help%20understanding%20Processor%20counters%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1771394%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104993%22%20target%3D%22_blank%22%3E%40Dante%20Nahuel%20Ciai%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20right%20query%20will%20be%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EPerf%0A%7C%20where%20CounterName%20%3D~%20'%25%20Processor%20Time'%20and%20ObjectName%20%3D~%20'Processor'%20and%20InstanceName%20%3D~%20'_Total'%20%0A%7C%20summarize%20AggregatedValue%20%3D%20avg(CounterValue)%20by%20_ResourceId%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3Eor%20if%20you%20have%20on-premises%20VMs%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EPerf%0A%7C%20where%20CounterName%20%3D~%20'%25%20Processor%20Time'%20and%20ObjectName%20%3D~%20'Processor'%20and%20InstanceName%20%3D~%20'_Total'%20%0A%7C%20summarize%20AggregatedValue%20%3D%20avg(CounterValue)%20by%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3EBasically%20you%20only%20need%20_Total%20values%20for%20the%20counter.%20Besides%20average%20you%20can%20also%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fpercentiles-aggfunction%3FWT.mc_id%3DAZ-MVP-5000120%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Epercentile()%3C%2FA%3E%26nbsp%3B%20.%20I%20am%20not%20sure%20how%20max()%20will%20work%20for%20you%20as%20you%20can%20have%20a%20VM%20that%20once%20had%20for%20a%20second%20CPU%20at%20100%25%20and%20then%20all%20the%20time%20it%20was%20as%20low%20as%201%25.%20Overall%20it%20depends%20on%20your%20logic%20and%20what%20kind%20of%20analysis%20you%20want%20to%20do.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi all

I'm trying to create a good query for Log Analytics to measure CPU average usage and peaks in order to determine whether the VM is under/over utilized.

For a long time I've been using this query:

 

Perf
                                                                 |
 where CounterName == "% Processor Time" and TimeGenerated > ago(30d)
        |
 summarize avgCPU = avg(CounterValue) by Computer
              |
 where avgCPU < 30) on Computer

 

 

However, I started researching a bit more so I could add peaks and that messed things up quite a bit.

 

First of all, I discovered that, if I added "Processor" as a filter for "ObjectName", the average would greatly variate from the result given without that filter.

On closer inspection I noticed that processor would bring up only the Instance named "_total", but without that filter, the query would return all processes, including _total and _idle
So, which one would be more accurate to determine the average utilization of the CPU of a VM, for all the cores at any given time?
And, also, if the answer is not using the Processor ObjectName as a filter, why is it returning the _Idle and _total processes as well? Isn't this bad for calculating the average?? Shouldn't I exclude this two?


The second issue arised when I included the max value for the counter, trying to get peaks of CPU.
So, when using this query:

 

Perf
                                                                 |
 where CounterName == "% Processor Time" and TimeGenerated > ago(1d)
        |
 summarize avgCPU = avg(CounterValue), maxCPU = max(CounterValue) by Computer
              |
 where avgCPU < 30) on Computer

 

I got values that were way over 100... and since this should be a measure of total CPU based on a 100% utilization, I think this is wrong, but I'm not sure why.
For some VMs I get 1000 or 450 values, which makes no sense.
Can you help me understand why?

Thanks in advance.

4 Replies
Best Response confirmed by Stanislav Zhelyazkov (MVP)
Solution

Hi@Dante Nahuel Ciai 

The right query will be:

Perf
| where CounterName =~ '% Processor Time' and ObjectName =~ 'Processor' and InstanceName =~ '_Total' 
| summarize AggregatedValue = avg(CounterValue) by _ResourceId

or if you have on-premises VMs

Perf
| where CounterName =~ '% Processor Time' and ObjectName =~ 'Processor' and InstanceName =~ '_Total' 
| summarize AggregatedValue = avg(CounterValue) by Computer

Basically you only need _Total values for the counter. Besides average you can also use percentile()  . I am not sure how max() will work for you as you can have a VM that once had for a second CPU at 100% and then all the time it was as low as 1%. Overall it depends on your logic and what kind of analysis you want to do.

@Stanislav Zhelyazkov Thank you for the answer. I came up with the same during the weekend. I removed the max() and instead went for percentile 95, and then check that value, which, if I understood correctly the counter, means that 95% of the sampled time, the counter value is below that value
So, if I go 
Percentiles(CPU,5,50,95) and I get
0.5,20,100

it means that 5% of the time, the cpu is below 0.5%, 50% is below 20% and 95% is below 100%
is that correct?

Also, I could use bin to use max(), correct?

@Dante Nahuel Ciai Not sure if I can explain it better than the Kusto article or Wikipedia( https://en.wikipedia.org/wiki/Percentile#The_Nearest_Rank_method) but I can give you example where this is used a lot. It is used in measuring latency for web sites as there the average is not so important. Instead there you use percentile as you would want 95% of the customers to not experience high latency. Overall your explanation is also correct. You can use bin which will slice the data into time bins but really depends depends on the bins. Overall I do not think max is suitable for processor time. For example let's say that every hour you have the CPU going to 100 % for a second. If you slice your data to bins of 1 hour and calculate the maximum you will get that the CPU had maximum of 100% every hour but does that brings you any insights that you VM is not performing well?

Hi Dante, there are a couple of workbooks that we ship in Azure Monitor that may help. Azure Portal>Monitor>Workbooks>Virtual Machine ... the one named Performance Analysis uses data collected by AzMon for VMs in the InsightsMetrics table. The one named Perf Counters offers a similar view but uses the Perf table. You can choose the counter of interest and multiple ways of aggregating the data (e.g. avg, P80, P95) as well as which aggregation to use for the trend line. Cheers, Scott