I just tried that and it looks like it's only geting the last event for that sourcetype which will only contain one host. I need it to grab the last event for each host.

Use this:

sourcetype=ejsysinfo_sort  OR sourcetype=ejlog_sort host= | dedup host | rename HD as "Total Disk GB" | rename Available_D as "Available Disk GB"|sort "Available Disk GB" |table host,"Total Disk GB","Available Disk GB",Date

Thanks, I just tried that and it's not producing what I expected. I was using the head 1 command to grab the last event from the log file for that host. Each host writes some performace data evey min in a csv file. This command seems to grab every event for each host.

what're you expected to see?

So I currently have about 80 hosts. I would expect to see the table filled with only the last event line for each host. So I would like to see 80 lines that only contain the most recent update. This search seems to look at every event line for every host. I can see hosts with the same name in the table. I also get this message from the search " [subsearch]: Subsearch produced 2093179 results, truncating to maxout 50000"

Ok try this:

sourcetype=ejsysinfo_sort host=*| head 1 | rename HD as "Total Disk GB"|dedup  host,"Total Disk GB" |table host,"Total Disk GB" |join [ search sourcetype=ejlog_sort host=*| head 1 | rename Available_D as "Available Disk GB"| |dedup  host,"Available Disk GB"|table host,"Available Disk GB"]

If I remove the "head 1" it works.

sourcetype=ejsysinfo_sort host=* | dedup host | rename HD as "Total Disk GB" |table host,"Total Disk GB" |join [ search sourcetype=ejlog_sort host=* |dedup host | rename Available_D as "Available Disk GB"| table host,"Available Disk GB",Date] |sort "Available Disk GB" a |table host,"Total Disk GB","Available Disk GB",Date

This command works, but takes about 1 min to run. I was hopping that it would run much faster and be able to quickly grab, parse, and sort the last line from each event fast since it should be under 80 lines.