SOLVED

OMS query for high CPU utilisation with causing application name

%3CLINGO-SUB%20id%3D%22lingo-sub-151253%22%20slang%3D%22en-US%22%3EOMS%20query%20for%20high%20CPU%20utilisation%20with%20causing%20application%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151253%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20build%20OMS%20log%20search%20query%20for%20High%20CPU%20utilisation%20with%20process%20name%20details.%20Tried%20and%20failed%2C%20due%20to%20no%20ideas%20about%20which%20values%20to%20use.%3C%2FP%3E%0A%3CP%3EExample%20%3A%20The%20performance%20of%20the%20CPU%20is%20from%2080%25%20to%2095%25%20then%20alert%20should%20be%20generated%20with%20causing%20application%20name%20details(means%20.exe%20name).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20testing%26nbsp%3BI%20have%20executed%20one%20exe%20application%20in%20one%20machine%20for%20high%20CPU%20and%20consumed%20around%2080%25%2C%20but%20not%20able%20to%20find%20exe%20name%20in%20the%20log%20table%3C%2FP%3E%0A%3CP%3EHow%20can%20I%20create%20this%20query%20with%20particular%20process%20utilisation%20range%20with%20application%20name%3F%3C%2FP%3E%0A%3CP%3ECan%20anyone%20help%20me%20to%20get%20the%20exact%20query%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-151253%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-331468%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20high%20CPU%20utilisation%20with%20causing%20application%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331468%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3ENo%20concrete%20example%20but%20the%20main%20workflow%20was%20explained.%20If%20you%20have%20some%20scripting%20skills%20it%20is%20not%20so%20hard%20to%20do.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-331124%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20high%20CPU%20utilisation%20with%20causing%20application%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331124%22%20slang%3D%22en-US%22%3EIs%20there%20an%20example%20already%20out%20there%20for%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152351%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20high%20CPU%20utilisation%20with%20causing%20application%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152351%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3ELog%20Analytics%20supports%20adding%20any%20windows%2Flinux%20performance%20counters.%20You%20could%20potentially%20add%20performance%20counter%20for%20specific%20process%20to%20monitor%20its%20CPU%20Usage.%20You%20can%20even%20add%20any%20process%20available%20to%20monitor%20its%20cpu%20usage%20by%20not%20specifying%20the%20instance%2C%20instead%20you%20will%20use%20%22*%22%20for%20the%20instance.%20Needless%20to%20say%20that%20this%20will%20create%20a%20lot%20of%20usage%20on%20your%20Log%20Analytics%20workspace%20and%20will%20not%20be%20cost%20effective%20at%20all.%20Second%20option%20which%20requires%20some%20work%20on%20you%20is%20to%20implement%20the%20following%20workflow%3A%3C%2FP%3E%0A%3CP%3E1.%20You%20have%20alert%20for%20high%20CPU%20usage.%3C%2FP%3E%0A%3CP%3E2.%20The%20alert%20kicks%20a%20runbook%20when%20it%20is%20triggered.%3C%2FP%3E%0A%3CP%3E3.%20The%20runbook%20connects%20to%20the%20server%20in%20question%20with%20High%20CPU%20and%20finds%20out%20which%20process%20is%20with%20highest%20CPU%20and%20how%20much%20exactly.%3C%2FP%3E%0A%3CP%3E4.%20You%20can%20use%20the%20ingestion%20API%20for%20Log%20Analytics%20to%20send%20the%20data%20into%20custom%20log.%3C%2FP%3E%0A%3CP%3EAdditionally%20you%20can%20create%20another%20alert%20based%20on%20that%20custom%20log%20that%20contains%20the%20computer%2C%20the%20process%20and%20the%20CPU%20usage%20for%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20this%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-151966%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20high%20CPU%20utilisation%20with%20causing%20application%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151966%22%20slang%3D%22en-US%22%3EThat's%20a%20good%20idea%2C%20however%20to%20link%20performance%20to%20process%20I%20think%20you%20need%20to%20combine%20performance%20counters%20with%20Event%20Logs%2C%20although%20im%20not%20sure.%3C%2FLINGO-BODY%3E
Occasional Contributor

I am trying to build OMS log search query for High CPU utilisation with process name details. Tried and failed, due to no ideas about which values to use.

Example : The performance of the CPU is from 80% to 95% then alert should be generated with causing application name details(means .exe name).

 

For testing I have executed one exe application in one machine for high CPU and consumed around 80%, but not able to find exe name in the log table

How can I create this query with particular process utilisation range with application name?

Can anyone help me to get the exact query?

 

 

 

4 Replies
That's a good idea, however to link performance to process I think you need to combine performance counters with Event Logs, although im not sure.
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution

Hi,

Log Analytics supports adding any windows/linux performance counters. You could potentially add performance counter for specific process to monitor its CPU Usage. You can even add any process available to monitor its cpu usage by not specifying the instance, instead you will use "*" for the instance. Needless to say that this will create a lot of usage on your Log Analytics workspace and will not be cost effective at all. Second option which requires some work on you is to implement the following workflow:

1. You have alert for high CPU usage.

2. The alert kicks a runbook when it is triggered.

3. The runbook connects to the server in question with High CPU and finds out which process is with highest CPU and how much exactly.

4. You can use the ingestion API for Log Analytics to send the data into custom log.

Additionally you can create another alert based on that custom log that contains the computer, the process and the CPU usage for it.

 

Hope this helps.

Is there an example already out there for this?

Hi,

No concrete example but the main workflow was explained. If you have some scripting skills it is not so hard to do.