CPU utilization is likely to vary throughout the day, and high CPU usage is expected and normal under certain circumstances. CPU utilization can be especially high during nightly batch or offline model processing.

In cases where the CPU spike(s) are not aligned with nightly batch or offline model processing, and you also observe errors in the logs and model failure, consider the spike(s) abnormal and contact support.

You can use the graphs available in the Splunk UBA Monitoring App to examine any CPU spikes. These graphs can be found under Monitoring > Systems, as shown in the following image:

The following image shows example CPU usage data as captured from the Splunk UBA Monitoring App over a past 48 hour period. Each line in the graph represents a node. You can see there are usage spikes for particular nodes. You can hover over any point in the graph to see additional information:

The following image uses the same 48 hour period information as shown in the previous image, but opened in the Search tab of the Splunk UBA Monitoring App, with the time span set as 1 minute. This time span setting provides a more precise measurement in terms of CPU usage. You can see that the utilization of certain nodes is spiking up to 100%:

This view into the CPU usage shows healthy behavior in spite of the high spikes. The CPU utilization is rising overnight at about the same point in time, and then coming back down during the day.

The following image shows another example of a CPU usage spike at night. Again he CPU utilization is rising overnight and then coming back down during the day:

For informational purposes only, you can open the /opt/caspida/content/Splunk-Standard-Security/jobs/scheduler/jobs.json file to determine when a model runs at night. You can also view the schedule of the following models: