I am looking forward to creating a table for system metrics values like "cpu", "memory" and "swap", now if run the below search it works, but it will get all hosts available while I want my search to be specific to some hosts.
1)
| mstats max(cpu.idle) AS "CPU_IDLE" avg(memory.free) as "MEMORY_FREE" avg(swap.used) as "SWAP_USED" WHERE `sai_metrics_indexes` earliest=-30m@m by host
| eval "cpu_active"=100-cpu_idle
| fillnull value=0
| foreach CPU* MEM* SWAP* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]
2)Where if i try like below then i get an error as i am beginner and not getting the right approach to get it .
| mstats max(cpu.idle) AS "CPU_IDLE" avg(memory.free) as "MEMORY_FREE" avg(swap.used) as "SWAP_USED" WHERE `sai_metrics_indexes` earliest=-30m@m by
("host"="host1.example.com" OR
"host"="host2.example.com" OR
"host"="host3.example.com"
)
| eval "cpu_active"=100-cpu_idle
| fillnull value=0
| foreach CPU* MEM* SWAP* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]
1) working screen shot
2) trial but not working
Would appreciate to get any help or direction on this.
| mstats max(cpu.idle) AS "CPU_IDLE" avg(memory.free) as "MEMORY_FREE" avg(swap.used) as "SWAP_USED" WHERE `sai_metrics_indexes` earliest=-30m@m by host
| where host="host1.example.com" OR host="host2.example.com" OR host="host3.example.com"
| eval "cpu_active"=100-cpu_idle
| fillnull value=0
| foreach CPU* MEM* SWAP* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]
| mstats max(cpu.idle) AS "CPU_IDLE" avg(memory.free) as "MEMORY_FREE" avg(swap.used) as "SWAP_USED" WHERE `sai_metrics_indexes` earliest=-30m@m by host
| where host="host1.example.com" OR host="host2.example.com" OR host="host3.example.com"
| eval "cpu_active"=100-cpu_idle
| fillnull value=0
| foreach CPU* MEM* SWAP* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]