Kibana Table Visualisation CPU

Elastic Stack Kibana
1

Hello Everyone ,
Kibana 7.16
Need help to understand if it possible to create a table in Kibana to display servers where CPU above 80% for 5 minutes ( not a single event in 5 minutes but during 5 minutes ). So I can search on which servers I had high CPU remains more than 5 minutes in last week for example .
It thought it should be an easy task but can't understand how to perform that.

The filed I use to measure CPU usage is system.cpu.total.norm.pct
Using discovery I can filter system.cpu.total.norm.pct > 0.8 , then I can use saved search as table source and display servers list , but how can I find that CPU was abode 80% at least 5 minutes .

Anyone know if something like that possible even if it will not be a table , maybe in Vega instead.

2

Hi @rl0ne

the only solution I can think of is to enforce a minimum interval of 5 minutes of a date histogram, then list all the servers with the average of system.cpu.total.norm.pct and sort the table by the system.cpu.total.norm.pct column.
In recent versions of Lens you could also zero all values below the 80% to make it clearer or color them out:

Screenshot 2023-06-01 at 14.14.07
Screenshot 2023-06-01 at 14.14.072450×1216 288 KB

In the table I've used the amount of bytes sent by each IP rather than CPU usage, where the threshold is > 14kb (just a random value). It is not completely filtered, but it's visually clear what is below and above the threshold I think.

I had to use 24h time range interval to have a 5 minutes bucket there as with a week interval the minimum bucket is 10 minutes (ES tries its best to satisfy the 5 minutes request but its subject to configuration limits):

Screenshot 2023-06-01 at 14.16.18
Screenshot 2023-06-01 at 14.16.18682×526 24.5 KB

3

Thanks @Marco_Liberati , basically you mean to use avarage CPU per 5-10 minutes instead duration . Looks like I will end up with you suggestion but avarage over 80 doesn't mean CPU was over 80 all 5 minutes .

4

You can use Minimum operation then which means that it never got lower than that - basically over 80 all 5 minutes.

5

If someone interesting I ended up with different approach .
I created a dedicated index and filling it with data using watcher index action.

Watcher looking for system.cpu.total.norm.pct hits over specific number in 5 minutes per host , on the index action I'm using mandatory data I need like instance type , name , etc... So now I can use table with data that shows only relevant servers where issue happended .

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.