Hello,

I have this

index=myindex eventtype="perfmon_windows" object="LogicalDisk" counter="% Free Space" instance!="_Total" instance!="0"
| stats first(Value) as value by instance, host
| eval x= 100 - value
| eval x= round(x,2)
| sort host
| fields host,instance, x

the result is something like that and it is ok :

host | instance | x

server1 | C: | 30
server1 | 😧 | 20
server1 | E: | 10
server2 | C: | 40

and I have this :

index=myindex eventtype="perfmon_windows" (object="Memory" counter="% Committed Bytes In Use") instance!="_Total"
| stats first(Value) as value by instance, host
| eval y= 100 - round(value,2)
| sort host
| fields host, y

the result is something like that and it is ok :

host | y

server1 | 55
server2 | 34

I tried to join the two search with a join on host and i have that :

host | instance | x | y

server1 | 0 | 30 | 55
server1 | 0 | 20 | 55
server1 | 0 | 10 | 55
server2 | 0 | 40 | 34

But i want to have this :

host | instance | x | y

server1 | C: | 30 | 55
server1 | 😧 | 20 | 55
server1 | E: | 10 | 55
server2 | C: | 40 | 34

Do you have a solution please ?

I dont know if it is my join or other thing to do

Thank you 🙂