- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/bd878/bd87826d45c6d896daa45ef968b86b7a927b39f3" alt="akelbr akelbr"
Community, need some help to work with 2 different source types .
I'm trying to run a search where I need to match information from 2 sources in 1 table.
What I'm trying to do is:
index=uberagent sourcetype=uberAgent:OnOffTransition:StandbyDetail2
| search host=*
| where TargetStateDisplayName = "Hibernate"
| join host
[ search index=uberagent sourcetype=uberAgent:System:SystemPerformanceSummary2
| stats avg(CPUUsagePercent) as "%CPU Usage"
| stats avg(IOPercentDiskTime) as "%IO Time"
| stats avg(RAMUsagePercent) as "%RAM Usage"
|return "%CPU Usage", "%IO Time", ]
| stats count(TargetStateDisplayName) as "Total Events" by host
| rename TargetStateDisplayName as "Machine Event"
| eval "Machine Event" = "Hibernate"
| rename host as "Machine Name"
| table
"Machine Name"
"Total Events"
"%CPU Usage"
"%RAM Usage"
"%IO Time"
| sort - "Total Events"
| head 15
Note that I already tried to use sourcetype=A OR sourcetype=B, already tried to use the |Append
and no success on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/d02c8/d02c884d8b9721445f10572fd724ddd6caaa8cde" alt="mayurr98 mayurr98"
Your query seems to be very wrong. Can you try this :
index=uberagent (sourcetype=uberAgent:OnOffTransition:StandbyDetail2 host=* TargetStateDisplayName = "Hibernate") OR sourcetype=uberAgent:System:SystemPerformanceSummary2
| stats count(TargetStateDisplayName) as "Total Events" avg(CPUUsagePercent) as "%CPU Usage" avg(IOPercentDiskTime) as "%IO Time" avg(RAMUsagePercent) as "%RAM Usage" by host
| rename host as "Machine Name"
| table "Machine Name" "Total Events" "%CPU Usage" "%RAM Usage" "%IO Time"
| sort 15 - "Total Events"
If this does not work then share sample event from both sourcetypes and let me know the output you want to achieve.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/bd878/bd87826d45c6d896daa45ef968b86b7a927b39f3" alt="akelbr akelbr"
Thank you mayurr98! That is exactly what I need.
This multi sourcetypes was a little confused to me but now things are much clear.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/d02c8/d02c884d8b9721445f10572fd724ddd6caaa8cde" alt="mayurr98 mayurr98"
Your query seems to be very wrong. Can you try this :
index=uberagent (sourcetype=uberAgent:OnOffTransition:StandbyDetail2 host=* TargetStateDisplayName = "Hibernate") OR sourcetype=uberAgent:System:SystemPerformanceSummary2
| stats count(TargetStateDisplayName) as "Total Events" avg(CPUUsagePercent) as "%CPU Usage" avg(IOPercentDiskTime) as "%IO Time" avg(RAMUsagePercent) as "%RAM Usage" by host
| rename host as "Machine Name"
| table "Machine Name" "Total Events" "%CPU Usage" "%RAM Usage" "%IO Time"
| sort 15 - "Total Events"
If this does not work then share sample event from both sourcetypes and let me know the output you want to achieve.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/bd878/bd87826d45c6d896daa45ef968b86b7a927b39f3" alt="akelbr akelbr"
Thank you mayurr98 ! This is exactly what I need.
This multi sourcetypes was something confused for me, but know I can understand it much better.
Thanks again.
data:image/s3,"s3://crabby-images/5d9f8/5d9f80c54160124d38856b77a799077db7d57026" alt=""