https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cpu-and-memory-usage/m-p/1247939#M336 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/693630547">@kadirerol</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>To visualize CPU and memory usage for the Cortex XDR/XSIAM service, you must use the <CODE>it_metrics</CODE> dataset. This dataset is designed to collect performance data from endpoints.</P> <P>&nbsp;</P> <P><STRONG>Prerequisites:</STRONG></P> <P>Before querying this data, ensure that <STRONG>IT Metrics Collection</STRONG> is enabled in your Agent Settings profile:</P> <OL> <LI> <P>Navigate to <STRONG>Settings → Endpoints → Agent Settings</STRONG>.</P> </LI> <LI> <P>Edit the relevant profile.</P> </LI> <LI> <P>Enable the <STRONG>Collect IT Data</STRONG> option.</P> </LI> </OL> <H4>&nbsp;</H4> <H4>XQL Query for XDR Service Performance</H4> <P>The following query filters for common Cortex XDR process names (such as <CODE>cyserver.exe</CODE>, <CODE>trapsd</CODE>, and <CODE>pmd</CODE>), calculates hourly averages for CPU and memory usage, and prepares the data for a line graph.</P> <P>In the <CODE>it_metrics</CODE> dataset:</P> <UL> <LI> <P>CPU usage is reported as a percentage (%) per core.</P> </LI> <LI> <P>Memory usage is reported in bytes.</P> </LI> </UL> <PRE><CODE class="language-sql">dataset = it_metrics | filter os_actor_process_os_name in ("trapsd", "trapsd.exe", "cyserver.exe", "pmd", "cortex-xdr-payload.exe") | bin _time span = 1h | comp avg(cpu_avg) as avg_cpu_percent, avg(memory_avg) as avg_memory_bytes by _time, os_actor_process_os_name, agent_hostname | alter avg_memory_mb = round(divide(avg_memory_bytes, 1048576), 2) | view graph type = line xaxis = _time yaxis = avg_cpu_percent series = os_actor_process_os_name </CODE></PRE> <H4>&nbsp;</H4> <H4>Understanding the Results:</H4> <P><STRONG>CPU Usage (<CODE>cpu_avg</CODE>)</STRONG><BR />Reported as a percentage per core. For example, a value of 10 on a 4-core system represents 10% of a single core’s capacity.</P> <P><STRONG>Memory Usage (<CODE>memory_avg</CODE>)</STRONG><BR />Reported in bytes. The query converts this value into megabytes (MB) by dividing by 1,048,576.</P> <P><STRONG>Visualization Adjustment</STRONG><BR />To switch between viewing CPU and memory on the graph, change the <CODE>yaxis</CODE> parameter in the <CODE>view graph</CODE> stage to either:</P> <UL> <LI> <P><CODE>avg_cpu_percent</CODE>, or</P> </LI> <LI> <P><CODE>avg_memory_mb</CODE></P> </LI> </UL> <H4>&nbsp;</H4> <H4>Common XDR Process Names by OS:</H4> <P><STRONG>Windows:</STRONG></P> <UL> <LI> <P><CODE>cyserver.exe</CODE></P> </LI> <LI> <P><CODE>trapsd.exe</CODE></P> </LI> <LI> <P><CODE>cortex-xdr-payload.exe</CODE></P> </LI> </UL> <P><STRONG>Linux:</STRONG></P> <UL> <LI> <P><CODE>trapsd</CODE></P> </LI> <LI> <P><CODE>pmd</CODE><CODE></CODE></P> </LI> </UL> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 11 Feb 2026 14:11:55 GMT susekar 2026-02-11T14:11:55Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cpu-and-memory-usage/m-p/1244660#M291 <P data-start="72" data-end="93"><STRONG data-start="72" data-end="91">Hello everyone,</STRONG></P> <P data-start="100" data-end="311">I’m looking for an XQL query that shows CPU and memory usage.<BR data-start="161" data-end="164" />For example, I want to visualize something like: <EM data-start="215" data-end="285" data-is-only-node="">the XDR service consumes an average of X% memory and Y% CPU per hour</EM>, preferably as a graph.</P> <P data-start="318" data-end="350">Could you please help with this?</P> Fri, 26 Dec 2025 05:50:37 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cpu-and-memory-usage/m-p/1244660#M291 kadirerol 2025-12-26T05:50:37Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cpu-and-memory-usage/m-p/1247939#M336 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/693630547">@kadirerol</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>To visualize CPU and memory usage for the Cortex XDR/XSIAM service, you must use the <CODE>it_metrics</CODE> dataset. This dataset is designed to collect performance data from endpoints.</P> <P>&nbsp;</P> <P><STRONG>Prerequisites:</STRONG></P> <P>Before querying this data, ensure that <STRONG>IT Metrics Collection</STRONG> is enabled in your Agent Settings profile:</P> <OL> <LI> <P>Navigate to <STRONG>Settings → Endpoints → Agent Settings</STRONG>.</P> </LI> <LI> <P>Edit the relevant profile.</P> </LI> <LI> <P>Enable the <STRONG>Collect IT Data</STRONG> option.</P> </LI> </OL> <H4>&nbsp;</H4> <H4>XQL Query for XDR Service Performance</H4> <P>The following query filters for common Cortex XDR process names (such as <CODE>cyserver.exe</CODE>, <CODE>trapsd</CODE>, and <CODE>pmd</CODE>), calculates hourly averages for CPU and memory usage, and prepares the data for a line graph.</P> <P>In the <CODE>it_metrics</CODE> dataset:</P> <UL> <LI> <P>CPU usage is reported as a percentage (%) per core.</P> </LI> <LI> <P>Memory usage is reported in bytes.</P> </LI> </UL> <PRE><CODE class="language-sql">dataset = it_metrics | filter os_actor_process_os_name in ("trapsd", "trapsd.exe", "cyserver.exe", "pmd", "cortex-xdr-payload.exe") | bin _time span = 1h | comp avg(cpu_avg) as avg_cpu_percent, avg(memory_avg) as avg_memory_bytes by _time, os_actor_process_os_name, agent_hostname | alter avg_memory_mb = round(divide(avg_memory_bytes, 1048576), 2) | view graph type = line xaxis = _time yaxis = avg_cpu_percent series = os_actor_process_os_name </CODE></PRE> <H4>&nbsp;</H4> <H4>Understanding the Results:</H4> <P><STRONG>CPU Usage (<CODE>cpu_avg</CODE>)</STRONG><BR />Reported as a percentage per core. For example, a value of 10 on a 4-core system represents 10% of a single core’s capacity.</P> <P><STRONG>Memory Usage (<CODE>memory_avg</CODE>)</STRONG><BR />Reported in bytes. The query converts this value into megabytes (MB) by dividing by 1,048,576.</P> <P><STRONG>Visualization Adjustment</STRONG><BR />To switch between viewing CPU and memory on the graph, change the <CODE>yaxis</CODE> parameter in the <CODE>view graph</CODE> stage to either:</P> <UL> <LI> <P><CODE>avg_cpu_percent</CODE>, or</P> </LI> <LI> <P><CODE>avg_memory_mb</CODE></P> </LI> </UL> <H4>&nbsp;</H4> <H4>Common XDR Process Names by OS:</H4> <P><STRONG>Windows:</STRONG></P> <UL> <LI> <P><CODE>cyserver.exe</CODE></P> </LI> <LI> <P><CODE>trapsd.exe</CODE></P> </LI> <LI> <P><CODE>cortex-xdr-payload.exe</CODE></P> </LI> </UL> <P><STRONG>Linux:</STRONG></P> <UL> <LI> <P><CODE>trapsd</CODE></P> </LI> <LI> <P><CODE>pmd</CODE><CODE></CODE></P> </LI> </UL> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 11 Feb 2026 14:11:55 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cpu-and-memory-usage/m-p/1247939#M336 susekar 2026-02-11T14:11:55Z