(English　※Sorry if my English is inaccurate.)
Great, clear answers, thank you!

I'm a beginner, but you explain things in a way that's easy to understand.
I understood it very well.

But what I want to do is much simpler.

I will state specifically.

I collect logs from multiple windows PC's.

The following query is then used to check CPU utilization.

index=performance source="Perfmon:CPU Load" counter="% Processor Time"
| bin span=1m _time
| stats avg(Value) AS cpu_usage by _time,host
| where cpu_usage > 85
| sort 0 -_time

However, all PCs are searched for in this query.

I only want to search for PCs belonging to a particular deployment server.

What is the best way to do this?

I would like to see search criteria added to this query.
（For example、　| where ServerClassNames="*Airwatch*" ？？　←This doesn't work.……）

(日本語)
迅速で丁寧な返信ありがとう！

私は初心者ですが、分かりやすく説明してくれているので、
とても理解できました。

しかし、私のやりたいことはもっと単純です。

具体的に述べます。

私は複数のwindowsPCのログを収集しています。

そして、以下のクエリでCPU使用率をチェックしています。

index=performance source="Perfmon:CPU Load" counter="% Processor Time"
| bin span=1m _time
| stats avg(Value) AS cpu_usage by _time,host
| where cpu_usage > 85
| sort 0 -_time

しかし、このクエリではすべてのPCが検索対象になります。

私は特定のデプロイメントサーバに属しているPCだけを検索対象としたいです。

何か良い方法はありますでしょうか？

このクエリに検索条件を加えてほしいです。

（For example.、　| where ServerClassNames="*Airwatch*" ？？　←This doesn't work.……）

I think I understand, you are wondering if there is an easier way.  You may also want a long term solution, one that automatically updates itself, not a one time solution. 

Unfortunately, to the best of my knowledge, there is not a field in Splunk by default that displays a hosts server class membership. 

The good news is we can create the field we need.  We can create the field called server_class.  And we can populate that field with the correct values.

We can create such a field, either with a lookup table or tagging, or an index time field extraction. 
   

For me, I would build on the method I suggested above, create a scheduled search on the deployment server that lists the members of each server class.  I would configure this report to write the results to an index. 

I would then schedule a search on the search head to turn this data into a lookup table.  the result would be a self-updating lookup table that lists all hosts and which server classes they are a member of.

Step 1 - scheduled report on deployment server

I would use this search:
| rest /services/deployment/server/clients count=0 splunk_server=local | stats values(serverClasses.*.stateOnClient) as * by hostname
| untable hostname server_class dummy
|fields - dummy
|collect index=test sourcetype=serverclass

this search will list ALL clients and server classes, then it will remove the field name dummy as it is not needed.  it then writes that data to an index, in this case the 'test' index. 

It also applies a sourcetype=serverclass.  Also please note that I used the untable command to create a field called 'server_class'.   I will then schedule this to run every day, so it will be self-updating.  

Step 2 - Schedule a search that creates a lookup table on the search head.

Now that I have run the above search at least once, there will be new event data in my 'test' index with a sourcetype of serverclass.   I can now run a search that will create a table of all hosts and the server classes they are a part of.  

index=test sourcetype=serverclass
|stats count by server_class hostname
|field - count
|outputlookup serverClassLookup.csv

this search will create a table of all hosts and server classes and then create a lookup file with those contents.  I will schedule this search same as the other one, so that it will update itself regularly.

Step 3 - set up lookup definition and automatic lookup
I will omit a detailed description of these steps in the interest of time, if you want more details on how to do so, I am happy to elaborate.  For now, let assume you did so.  You are now able to do a basic Splunk search such as index=wineventlog server_class=Airwatch.

Now there are other ways to solve this same problem and MANY MANY details and decisions I have skipped over in order to keep things simple.  And there are plusses and minuses for the various options.  This is the best option in my opinion but it depends on your circumstances.

(日本語)
-------------------

I think I understand, you are wondering if there is an easier way.  You may also want a long term solution, one that automatically updates itself, not a one time solution. 
わたしは適当に理解していると思います、もっと簡単な方法があるかどうか疑問に思っているんでしょう。

Unfortunately, to the best of my knowledge, there is not a field in Splunk by default that displays a hosts server class membership. 
残念ながら、私の知る限り、Splunkにはデフォルトでserver classを表示するフィールドはありません。

The good news is we can create the field we need.  We can create the field called server_class.  And we can populate that field with the correct values.
と言っても、必要な server_class というフィールドを作成することができます。 それに、そのフィールドに正しい値を設定できます。

We can create such a field, either with a lookup table or tagging, or an index time field extraction. 
このようなフィールドを作成するように、それぞれの方法はあります。ルックアップテーブルまたはタグ付け、またはインデックス時間フィールドの抽出を使用して作成できます。   

For me, I would build on the method I suggested above, create a scheduled search on the deployment server that lists the members of each server class.  I would configure this report to write the results to an index. 
私にとっては、上記で提案した方法に基づいて、各サーバー クラスのメンバーを一覧表示するスケジュールされた検索を配置サーバーに作成します。そして、「| collect コマンド」をして、Splunkのインデックスに書き込むようにこのレポートを構成します。

I would then schedule a search on the search head to turn this data into a lookup table.  the result would be a self-updating lookup table that lists all hosts and which server classes they are a member of.

次に、Search Headで検索をスケジュールして、このデータをルックアップテーブルに変換します。そうすると、ルックアップテーブが自動的に更新されます。

Step 1 - scheduled report on deployment server

I would use this search:
| rest /services/deployment/server/clients count=0 splunk_server=local | stats values(serverClasses.*.stateOnClient) as * by hostname
| untable hostname server_class dummy
|fields - dummy
|collect index=test sourcetype=serverclass

this search will list ALL clients and server classes, then it will remove the field name dummy as it is not needed.  it then writes that data to an index, in this case the 'test' index. 
この検索では、すべてのクライアントとサーバークラスが一覧表示され、不必要なdummyというフィールドも削除されます。

It also applies a sourcetype=serverclass.  Also please note that I used the untable command to create a field called 'server_class'.   I will then schedule this to run every day, so it will be self-updating.  

また、sourcetype=serverclassも適用されます。untableコマンドを使用して「server_class」というフィールドの名前を作成したことに注意してください。その後、これを毎日実行するようにスケジュールするので、自己更新になります。

Step 2 - Schedule a search that creates a lookup table on the search head.

Now that I have run the above search at least once, there will be new event data in my 'test' index with a sourcetype of serverclass.   I can now run a search that will create a table of all hosts and the server classes they are a part of.  
上記の検索を少なくとも一度実行したので、 'index=test'には、sourcetype=serverclass付けの新しいイベントデータがあるはずです。これで、ルックアップテーブル生成検索を実行できます。

時間がなくなってきたので、ここで日本語はやめます。おそらくそれを本当に必要としなかったでしょうが、私にはいい勉強になってけっこう楽しかったです。

index=test sourcetype=serverclass
|stats count by server_class hostname
|field - count
|outputlookup serverClassLookup.csv

this search will create a table of all hosts and server classes and then create a lookup file with those contents.  I will schedule this search same as the other one, so that it will update itself regularly.

Step 3 - set up lookup definition and automatic lookup
I will omit a detailed description of these steps in the interest of time, if you want more details on how to do so, I am happy to elaborate.  For now, let assume you did so.  You are now able to do a basic Splunk search such as index=wineventlog server_class=Airwatch.

Now there are other ways to solve this same problem and MANY MANY details and decisions I have skipped over in order to keep things simple.  And there are plusses and minuses for the various options.  This is the best option in my opinion but it depends on your circumstances.