I have a windows machine (running a Splunk forwarder) which locks at 100% CPU every day at least once. I'd like to find out which process is the culprit. Any suggestions?
Hey Justin, I guess you could go several ways. For one thing you could set up a scripted input much along the lines of what the unix app does to index the output of ps or top.
You could use a script that runs tasklist, for example:
tasklist /fo csv /v
Which will result in some easily indexible output:
"Image Name","PID","Session Name","Session#","Mem Usage","Status","User Name","CPU Time","Window Title"
"explorer.exe","2884","Console","1","35,320 K","Running","DOMAIN\username","0:00:07","N/A"
"SearchIndexer.exe","3144","Services","0","35,652 K","Unknown","N/A","0:00:10","N/A"
CPU time is listed in hh:mm:ss so that is not incredibly useful for detecting your redline problem, but can provide some interesting metrics to monitor.
Another way would be to go the Powershell route. You could put something along the following into a powershell script and use it as a scripted input:
gps | sort -p cpu -desc
Which would give you some more top-like output:
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
135 7 38576 35432 108 30.73 2876 dwm
648 27 25996 44428 170 23.13 4084 chrome
2917 48 47572 91580 350 16.89 2956 OUTLOOK
121 10 27216 35312 137 14.66 3848 chrome
701 31 20084 33860 169 7.32 2884 explorer
120 12 31972 40476 135 4.46 912 chrome
398 10 47152 48000 182 3.62 2396 powershell
150 9 5904 16676 82 1.48 844 xchat
55 3 1748 7544 46 1.44 3328 conhost
267 9 3508 10784 95 1.20 3528 msseces
126 8 12536 18088 121 0.81 3752 chrome
75 4 1548 4632 39 0.64 3680 igfxsrvc
119 7 9632 15060 117 0.53 2200 chrome
Now this data looks like perfect splunk material, and might be an interesting set to index on a regular basis. However it does not give us CPU percentage without calculating it.
You could also use powershell to leverage a WMI call (or call WMI by some other preferred method):
gwmi Win32_PerfFormattedData_PerfProc_Process | sort -p PercentProcessorTime -desc | % {$_.name + " " + $_.PercentProcessorTime}
Which would give you
_Total 100
Idle 94
WmiPrvSE#1 6
OUTLOOK 0
taskhost#1 0
conhost 0
chrome#2 0
chrome#1 0
You can tune the WMI query to pull more info such as owner of the process, pid, etc.
Additionally you could use Sysinternal's pslist or pmon from the Windows 2003 resource kit tools, but neither of these lists % CPU, so you might as well stick with tasklist or the powershell approaches at that point.