Hosts Reporting| stats dc(hostname) as total_hostsHigh CPU| bin _time span=$sustained_span$
| stats min(cpu_used) as min_cpu by hostname _time
| where min_cpu > $cpu_threshold_val$
| stats dc(hostname) as high_cpu_hostsif(isnotnull($show_high_cpu_detail$), null(), "true")Memory Pressure| where 'memory.memory_pressure' != "normal"
| stats dc(hostname) as pressure_hostsif(isnotnull($show_mem_pressure_detail$), null(), "true")Thermal Throttling| where 'cpu.thermal_state' != "nominal"
| stats dc(hostname) as thermal_hostsif(isnotnull($show_thermal_detail$), null(), "true")Low Disk (<10GB)| where 'disk.disk_free_gb' < 10
| stats dc(hostname) as low_disk_hostsif(isnotnull($show_low_disk_detail$), null(), "true")Low Battery| where 'power.battery_percent' < 20 AND 'power.on_ac' = "false"
| stats dc(hostname) as low_batteryif(isnotnull($show_low_battery_detail$), null(), "true")High CPU Detail — Hosts above $cpu_threshold_val$% for $sustained_span$+ (click a host for window detail)
index=$index_name$ sourcetype="$sourcetype_name$" NOT event_type="watched_process"
| spath
| spath path=cpu.cpu_idle output=cpu.cpu_idle
| eval hostname = mvindex(hostname, 0)
| eval cpu_used = 100 - 'cpu.cpu_idle'
| spath path=processes.top_cpu_processes{0}.name output=top_process
| bin _time span=$sustained_span$
| eventstats min(cpu_used) as min_cpu by hostname _time
| where min_cpu > $cpu_threshold_val$
| eventstats dc(_time) as episodes avg(cpu_used) as host_avg_cpu max(cpu_used) as host_peak_cpu latest(_time) as last_seen by hostname
| stats count as appearances first(episodes) as episodes first(host_avg_cpu) as avg_cpu first(host_peak_cpu) as peak_cpu first(last_seen) as last_seen by hostname top_process
| sort hostname -appearances
| streamstats count as rank by hostname
| where rank <= 3
| eval proc_info = top_process." (".appearances."x)"
| stats first(episodes) as episodes first(avg_cpu) as avg_cpu first(peak_cpu) as peak_cpu first(last_seen) as last_seen values(proc_info) as top_offenders by hostname
| eval span_sec = case("$sustained_span$"=="10s", 10, "$sustained_span$"=="1m", 60, "$sustained_span$"=="5m", 300, "$sustained_span$"=="15m", 900, 1=1, 60)
| eval total_sec = episodes * span_sec
| eval duration = case(total_sec < 60, total_sec." sec", total_sec < 3600, round(total_sec/60, 0)." min", 1=1, round(total_sec/3600, 1)." hrs")
| eval avg_cpu = round(avg_cpu, 1)
| eval peak_cpu = round(peak_cpu, 1)
| eval last_seen = strftime(last_seen, "%m/%d %I:%M %p")
| eval top_offenders = mvjoin(top_offenders, ", ")
| table hostname duration avg_cpu peak_cpu last_seen top_offenders
| rename hostname as "Host", duration as "Total Duration", avg_cpu as "Avg CPU %", peak_cpu as "Peak CPU %", last_seen as "Last Seen", top_offenders as "Top Offenders"
| sort -"Peak CPU %"$time_range.earliest$$time_range.latest$$row.Host$
$high_cpu_host$ — Each $sustained_span$ window where CPU stayed above $cpu_threshold_val$%✕ Close
index=$index_name$ sourcetype="$sourcetype_name$" hostname="$high_cpu_host$" NOT event_type="watched_process"
| spath
| spath path=cpu.cpu_idle output=cpu.cpu_idle
| eval hostname = mvindex(hostname, 0)
| eval cpu_used = 100 - 'cpu.cpu_idle'
| spath path=processes.top_cpu_processes{0}.name output=top_process
| spath path=processes.top_cpu_processes{0}.cpu_percent output=top_proc_cpu
| bin _time span=$sustained_span$
| stats min(cpu_used) as min_cpu avg(cpu_used) as avg_cpu max(cpu_used) as peak_cpu values(top_process) as top_processes max(top_proc_cpu) as top_proc_cpu count as samples by _time
| where min_cpu > $cpu_threshold_val$
| eval avg_cpu = round(avg_cpu, 1)
| eval peak_cpu = round(peak_cpu, 1)
| eval min_cpu = round(min_cpu, 1)
| eval top_proc_cpu = round(top_proc_cpu, 1)
| eval top_processes = mvjoin(top_processes, ", ")
| eval window = strftime(_time, "%m/%d %I:%M:%S %p")
| table window samples min_cpu avg_cpu peak_cpu top_processes top_proc_cpu
| rename window as "Window Start", samples as "Samples", min_cpu as "Min CPU %", avg_cpu as "Avg CPU %", peak_cpu as "Peak CPU %", top_processes as "Top Processes", top_proc_cpu as "Top Proc CPU %"
| sort -"Window Start"$time_range.earliest$$time_range.latest$
Memory Pressure Detail — Affected Hosts (click "Memory Pressure" again to close)
index=$index_name$ sourcetype="$sourcetype_name$" NOT event_type="watched_process"
| spath
| spath path=memory.memory_pressure output=memory.memory_pressure
| spath path=memory.mem_active_mb output=memory.mem_active_mb
| spath path=memory.mem_wired_mb output=memory.mem_wired_mb
| spath path=memory.mem_compressed_mb output=memory.mem_compressed_mb
| spath path=memory.swap_used_mb output=memory.swap_used_mb
| eval hostname = mvindex(hostname, 0)
| where 'memory.memory_pressure' != "normal"
| eval mem_used_gb = ('memory.mem_active_mb' + 'memory.mem_wired_mb' + 'memory.mem_compressed_mb') / 1024
| spath path=processes.top_mem_processes{0}.name output=top_process
| stats count as events latest(memory.memory_pressure) as pressure max(mem_used_gb) as peak_mem_gb max(memory.swap_used_mb) as peak_swap_mb latest(_time) as last_seen values(top_process) as top_processes by hostname
| eval peak_mem_gb = round(peak_mem_gb, 1)
| eval peak_swap_mb = round(peak_swap_mb, 0)
| eval last_seen = strftime(last_seen, "%m/%d %I:%M %p")
| eval top_processes = mvjoin(top_processes, ", ")
| table hostname pressure events peak_mem_gb peak_swap_mb last_seen top_processes
| rename hostname as "Host", pressure as "Pressure", events as "Events", peak_mem_gb as "Peak Mem (GB)", peak_swap_mb as "Peak Swap (MB)", last_seen as "Last Seen", top_processes as "Top Processes"
| sort -"Peak Mem (GB)"$time_range.earliest$$time_range.latest${"warning":#F8BE34,"critical":#DC4E41}
Thermal Throttling Detail — Affected Hosts (click "Thermal Throttling" again to close)
| where 'cpu.thermal_state' != "nominal"
| stats latest(cpu.thermal_state) as thermal latest(cpu_used) as cpu_used by hostname
| eval cpu_used = round(cpu_used, 1)
| table hostname thermal cpu_used
| rename hostname as "Host", thermal as "Thermal State", cpu_used as "CPU %"
| sort -"CPU %"{"fair":#F8BE34,"serious":#F1813F,"critical":#DC4E41}
Low Disk Detail — Hosts with <10GB Free (click "Low Disk" again to close)
| where 'disk.disk_free_gb' < 10
| stats latest(disk.disk_free_gb) as disk_free latest(disk.disk_percent_used) as disk_pct by hostname
| eval disk_free = round(disk_free, 1)
| eval disk_pct = round(disk_pct, 1)
| table hostname disk_free disk_pct
| rename hostname as "Host", disk_free as "Free (GB)", disk_pct as "Used %"
| sort disk_free
Low Battery Detail — Hosts <20% on Battery (click "Low Battery" again to close)
| where 'power.battery_percent' < 20 AND 'power.on_ac' = "false"
| stats latest(power.battery_percent) as battery latest(power.battery_state) as state by hostname
| table hostname battery state
| rename hostname as "Host", battery as "Battery %", state as "State"
| sort battery
Host Performance Summaryfalse— Fleet View (no host) —index=$index_name$ sourcetype="$sourcetype_name$" NOT event_type="watched_process" earliest=-7d | stats count by hostname | fields hostname | sort hostnamehostnamehostnamehostname="""true"
| stats latest(cpu_used) as cpu_used latest(cpu.thermal_state) as thermal latest(memory.memory_pressure) as mem_pressure latest(mem_used_gb) as mem_used_gb latest(memory.swap_used_mb) as swap_mb latest(disk.disk_free_gb) as disk_free_gb latest(power.battery_percent) as battery latest(power.on_ac) as on_ac latest(processes.process_count) as process_count by hostname
| eval cpu_used = round(cpu_used, 1)
| eval mem_used_gb = round(mem_used_gb, 1)
| eval disk_free_gb = round(disk_free_gb, 1)
| eval power = case(isnull(on_ac), "AC (Desktop)", on_ac = "true", "AC", 1=1, "Battery")
| table hostname cpu_used thermal mem_pressure mem_used_gb swap_mb disk_free_gb battery power process_count
| rename hostname as "Host", cpu_used as "CPU %", thermal as "Thermal", mem_pressure as "Mem Pressure", mem_used_gb as "Mem Used (GB)", swap_mb as "Swap (MB)", disk_free_gb as "Disk Free (GB)", battery as "Battery %", power as "Power", process_count as "Processes"
| sort -"CPU %"{"nominal":#53A051,"fair":#F8BE34,"serious":#F1813F,"critical":#DC4E41}{"normal":#53A051,"warning":#F8BE34,"critical":#DC4E41}hostname="$row.Host$""true"
Select a host from the dropdown above to view detailed charts, processes, and watched process data.
CPU & Memory
CPU Usage Trend| eval cpu_user_sys = 'cpu.cpu_user' + 'cpu.cpu_sys'
| timechart $chart_span$ avg(cpu_user_sys) as "Avg CPU %" max(cpu_user_sys) as "Peak CPU %" avg(cpu.cpu_user) as "User %" avg(cpu.cpu_sys) as "System %"$click.value$strftime($click.value$, "%I:%M:%S %p")Memory Usage Trend (GB)| eval active_gb = 'memory.mem_active_mb' / 1024
| eval wired_gb = 'memory.mem_wired_mb' / 1024
| eval compressed_gb = 'memory.mem_compressed_mb' / 1024
| eval swap_gb = 'memory.swap_used_mb' / 1024
| timechart $chart_span$ avg(active_gb) as "Active" avg(wired_gb) as "Wired" avg(compressed_gb) as "Compressed" avg(swap_gb) as "Swap"$click.value$strftime($click.value$, "%I:%M:%S %p")Top CPU Processes at $cpu_click_display$✕ Close
index=$index_name$ sourcetype="$sourcetype_name$" $summary_host_filter$ NOT event_type="watched_process"
| spath
| spath path=cpu.cpu_idle output=cpu.cpu_idle
| eval hostname = mvindex(hostname, 0)
| eval _click_epoch = $cpu_click_time$
| where _time >= (_click_epoch - 60) AND _time <= (_click_epoch + 60)
| eval cpu_used = 100 - 'cpu.cpu_idle'
| sort -cpu_used
| head 1
| spath path=processes.top_cpu_processes{} output=proc
| mvexpand proc
| spath input=proc
| eval cpu_percent = round(cpu_percent, 1)
| table name pid cpu_percent
| rename name as "Process", pid as "PID", cpu_percent as "CPU %"$time_range.earliest$$time_range.latest$
Top Memory Processes at $mem_click_display$✕ Close
Top Network Processes at $net_click_display$✕ Close
index=$index_name$ sourcetype="$sourcetype_name$" $summary_host_filter$ NOT event_type="watched_process"
| spath
| eval hostname = mvindex(hostname, 0)
| eval _click_epoch = $net_click_time$
| where _time >= (_click_epoch - 60) AND _time <= (_click_epoch + 60)
| eval net_total = 'network.net_bytes_in' + 'network.net_bytes_out'
| sort -net_total
| head 1
| spath path=processes.top_net_processes{} output=proc
| mvexpand proc
| spath input=proc
| eval in_kb = round(bytes_in / 1024, 1)
| eval out_kb = round(bytes_out / 1024, 1)
| eval total_kb = round((bytes_in + bytes_out) / 1024, 1)
| table name pid in_kb out_kb total_kb
| rename name as "Process", pid as "PID", in_kb as "In (KB)", out_kb as "Out (KB)", total_kb as "Total (KB)"
| sort -"Total (KB)"$time_range.earliest$$time_range.latest$
GPU Utilization Trend| timechart $chart_span$ avg(gpu.gpu_utilization_percent) as "GPU %" avg(gpu.gpu_renderer_percent) as "Renderer %" avg(gpu.gpu_tiler_percent) as "Tiler %"Battery Level Trend| timechart $chart_span$ avg(power.battery_percent) as "Battery %"
Top Processes
Top CPU Processes (Sustained Activity)
index=$index_name$ sourcetype="$sourcetype_name$" $summary_host_filter$ NOT event_type="watched_process"
| spath
| eval hostname = mvindex(hostname, 0)
| eventstats dc(_time) as total_events
| spath path=processes.top_cpu_processes{} output=proc
| mvexpand proc
| spath input=proc
| stats avg(cpu_percent) as avg_cpu max(cpu_percent) as peak_cpu dc(_time) as unique_samples values(pid) as pids values(ppid) as parent_pids first(total_events) as total_events by name
| eval presence = round(unique_samples / total_events * 100, 1)
| eval impact = case(
presence >= 50 AND avg_cpu >= 20, "Sustained",
presence >= 15, "Recurring",
1=1, "Spike")
| eval impact_score = avg_cpu * presence / 100
| sort -impact_score
| head 10
| eval avg_cpu = round(avg_cpu, 1)
| eval peak_cpu = round(peak_cpu, 1)
| table name pids parent_pids avg_cpu peak_cpu presence impact
| rename name as "Process", pids as "PIDs", parent_pids as "Parent PIDs", avg_cpu as "Avg CPU %", peak_cpu as "Peak CPU %", presence as "Presence %", impact as "Impact"$time_range.earliest$$time_range.latest${"Sustained":#DC4E41,"Recurring":#F8BE34,"Spike":#53A051}
Top Memory Processes (Sustained Activity)
index=$index_name$ sourcetype="$sourcetype_name$" $summary_host_filter$ NOT event_type="watched_process"
| spath
| eval hostname = mvindex(hostname, 0)
| eventstats dc(_time) as total_events
| spath path=processes.top_mem_processes{} output=proc
| mvexpand proc
| spath input=proc
| stats avg(memory_mb) as avg_mem max(memory_mb) as peak_mem dc(_time) as unique_samples values(pid) as pids values(ppid) as parent_pids first(total_events) as total_events by name
| eval presence = round(unique_samples / total_events * 100, 1)
| eval impact = case(
presence >= 50 AND avg_mem >= 200, "Sustained",
presence >= 15, "Recurring",
1=1, "Spike")
| eval impact_score = avg_mem * presence / 100
| sort -impact_score
| head 10
| eval avg_mem = round(avg_mem, 0)
| eval peak_mem = round(peak_mem, 0)
| table name pids parent_pids avg_mem peak_mem presence impact
| rename name as "Process", pids as "PIDs", parent_pids as "Parent PIDs", avg_mem as "Avg Mem (MB)", peak_mem as "Peak Mem (MB)", presence as "Presence %", impact as "Impact"$time_range.earliest$$time_range.latest${"Sustained":#DC4E41,"Recurring":#F8BE34,"Spike":#53A051}
Top CPU Consumers During High CPU Events
index=$index_name$ sourcetype="$sourcetype_name$" $summary_host_filter$ NOT event_type="watched_process"
| spath
| spath path=cpu.cpu_idle output=cpu.cpu_idle
| eval hostname = mvindex(hostname, 0)
| eval cpu_used = 100 - 'cpu.cpu_idle'
| where cpu_used > $cpu_threshold_val$
| spath path=processes.top_cpu_processes{} output=proc
| mvexpand proc
| spath input=proc
| stats count as occurrences avg(cpu_percent) as avg_cpu max(cpu_percent) as peak_cpu by name
| sort -occurrences
| head 5
| eval avg_cpu = round(avg_cpu, 1)
| eval peak_cpu = round(peak_cpu, 1)
| table name occurrences avg_cpu peak_cpu
| rename name as "Process", occurrences as "Events", avg_cpu as "Avg CPU %", peak_cpu as "Peak CPU %"$time_range.earliest$$time_range.latest$
Top Memory Consumers During Pressure Events
index=$index_name$ sourcetype="$sourcetype_name$" $summary_host_filter$
| spath
| spath path=memory.memory_pressure output=memory.memory_pressure
| eval hostname = mvindex(hostname, 0)
| where 'memory.memory_pressure' != "normal"
| spath path=processes.top_mem_processes{} output=proc
| mvexpand proc
| spath input=proc
| stats count as occurrences avg(memory_mb) as avg_mem max(memory_mb) as peak_mem by name
| sort -occurrences
| head 5
| eval avg_mem = round(avg_mem, 0)
| eval peak_mem = round(peak_mem, 0)
| table name occurrences avg_mem peak_mem
| rename name as "Process", occurrences as "Events", avg_mem as "Avg Mem (MB)", peak_mem as "Peak Mem (MB)"$time_range.earliest$$time_range.latest$
Watched Processes
Watched Processes (Current Status)
index=$index_name$ sourcetype="$sourcetype_name$" event_type="watched_process" $summary_host_filter$
| spath
| eval hostname = mvindex(hostname, 0)
| search $watched_process_filter$
| stats latest(watched.cpu_percent) as cpu_percent latest(watched.memory_mb) as memory_mb latest(watched.process_count) as process_count by watched.process_pattern, hostname
| eval cpu_percent = round(cpu_percent, 1)
| eval memory_mb = round(memory_mb, 1)
| table hostname watched.process_pattern process_count cpu_percent memory_mb
| rename watched.process_pattern as "Pattern", hostname as "Host", process_count as "Instances", cpu_percent as "CPU %", memory_mb as "Memory (MB)"
| sort -cpu_percent$time_range.earliest$$time_range.latest$
Watched Process CPU Trendindex=$index_name$ sourcetype="$sourcetype_name$" event_type="watched_process" $summary_host_filter$
| spath
| search $watched_process_filter$
| timechart $chart_span$ avg(watched.cpu_percent) by watched.process_pattern$time_range.earliest$$time_range.latest$Watched Process Memory Trendindex=$index_name$ sourcetype="$sourcetype_name$" event_type="watched_process" $summary_host_filter$
| spath
| search $watched_process_filter$
| timechart $chart_span$ avg(watched.memory_mb) by watched.process_pattern$time_range.earliest$$time_range.latest$
Incidents & Fleet Info
High CPU Events — Above $cpu_threshold_val$% sustained for $sustained_span$+
index=$index_name$ sourcetype="$sourcetype_name$" NOT event_type="watched_process"
| spath
| spath path=cpu.cpu_idle output=cpu.cpu_idle
| spath path=cpu.thermal_state output=cpu.thermal_state
| eval hostname = mvindex(hostname, 0)
| eval cpu_used = 100 - 'cpu.cpu_idle'
| spath path=processes.top_cpu_processes{0}.name output=top_process
| bin _time span=$sustained_span$
| eventstats min(cpu_used) as min_cpu by hostname _time
| where min_cpu > $cpu_threshold_val$
| eventstats dc(_time) as episodes avg(cpu_used) as host_avg_cpu max(cpu_used) as host_peak_cpu latest(cpu.thermal_state) as host_thermal latest(_time) as last_seen by hostname
| stats count as appearances first(episodes) as episodes first(host_avg_cpu) as avg_cpu first(host_peak_cpu) as peak_cpu first(host_thermal) as thermal first(last_seen) as last_seen by hostname top_process
| sort hostname -appearances
| streamstats count as rank by hostname
| where rank <= 3
| eval proc_info = top_process." (".appearances."x)"
| stats first(episodes) as episodes first(avg_cpu) as avg_cpu first(peak_cpu) as peak_cpu first(thermal) as thermal first(last_seen) as last_seen values(proc_info) as top_offenders by hostname
| eval span_sec = case("$sustained_span$"=="10s", 10, "$sustained_span$"=="1m", 60, "$sustained_span$"=="5m", 300, "$sustained_span$"=="15m", 900, 1=1, 60)
| eval total_sec = episodes * span_sec
| eval duration = case(total_sec < 60, total_sec." sec", total_sec < 3600, round(total_sec/60, 0)." min", 1=1, round(total_sec/3600, 1)." hrs")
| eval avg_cpu = round(avg_cpu, 1)
| eval peak_cpu = round(peak_cpu, 1)
| eval last_seen = strftime(last_seen, "%m/%d %I:%M %p")
| eval top_offenders = mvjoin(top_offenders, ", ")
| table hostname duration avg_cpu peak_cpu thermal last_seen top_offenders
| rename hostname as "Host", duration as "Total Duration", avg_cpu as "Avg CPU %", peak_cpu as "Peak CPU %", thermal as "Thermal", last_seen as "Last Seen", top_offenders as "Top Offenders"
| sort -"Peak CPU %"$time_range.earliest$$time_range.latest${"nominal":#53A051,"fair":#F8BE34,"serious":#F1813F,"critical":#DC4E41}
Memory Pressure Events (Warning/Critical)
index=$index_name$ sourcetype="$sourcetype_name$" NOT event_type="watched_process"
| spath
| spath path=memory.memory_pressure output=memory.memory_pressure
| spath path=memory.mem_active_mb output=memory.mem_active_mb
| spath path=memory.mem_wired_mb output=memory.mem_wired_mb
| spath path=memory.mem_compressed_mb output=memory.mem_compressed_mb
| spath path=memory.swap_used_mb output=memory.swap_used_mb
| eval hostname = mvindex(hostname, 0)
| where 'memory.memory_pressure' != "normal"
| eval mem_used_gb = ('memory.mem_active_mb' + 'memory.mem_wired_mb' + 'memory.mem_compressed_mb') / 1024
| spath path=processes.top_mem_processes{0}.name output=top_process
| stats count as events latest(memory.memory_pressure) as pressure max(mem_used_gb) as peak_mem_gb max(memory.swap_used_mb) as peak_swap_mb latest(_time) as last_seen values(top_process) as top_processes by hostname
| eval peak_mem_gb = round(peak_mem_gb, 1)
| eval peak_swap_mb = round(peak_swap_mb, 0)
| eval last_seen = strftime(last_seen, "%m/%d %I:%M %p")
| eval top_processes = mvjoin(top_processes, ", ")
| table hostname pressure events peak_mem_gb peak_swap_mb last_seen top_processes
| rename hostname as "Host", pressure as "Pressure", events as "Events", peak_mem_gb as "Peak Mem (GB)", peak_swap_mb as "Peak Swap (MB)", last_seen as "Last Seen", top_processes as "Top Processes"
| sort -"Peak Mem (GB)"$time_range.earliest$$time_range.latest${"warning":#F8BE34,"critical":#DC4E41}
Power Status| stats latest(power.on_ac) as on_ac by hostname
| eval power_status = case(isnull(on_ac), "Desktop (AC)", on_ac = "true", "On AC Power", 1=1, "On Battery")
| stats count by power_statusmacOS Version| stats latest(system.macos_version) as version by hostname
| stats count by version
| rename version as "Version"Chip Type| stats latest(system.chip_description) as chip by hostname
| stats count by chip
| rename chip as "Chip"