I am looking to summarize some of the unix app searches such as "memory by process"
What's the best way to summarize and report on a group of hosts instead of a single host the prepopulated unix app search runs?
index=os sourcetype=ps
host=landdb01a.sso-bo.ilg1.vrsn.com |
multikv fields RSZ_KB, COMMAND |
sitimechart eval(median(RSZ_KB)/1024)
as ResidentMB by COMMAND
I would recommend using the categories and groups feature built in to the app if you want to summarize. After you set up the category and groups, you'll use the category and group fields rather than the host field.
I would recommend using the categories and groups feature built in to the app if you want to summarize. After you set up the category and groups, you'll use the category and group fields rather than the host field.
Thanks, i'll have to start using the newest Unix app, behind the times a bit in 4.x app and did not see the categories/groups.