The vmstat log entry looks like this (Edited for brevity):
memTotalMB memFreeMB 991 199
And if I have index=os sourcetype=vmstat I get all the relevant log events showing up. What I want to do is to show when memFreeMB drops below a threshold, so I had the command
index=os sourcetype=vmstat memfreemb < 200
But nothing passes the filter.
I can do:
index= os sourcetype=vmstat memfreemb
and get every relevant for the time window.
What did I do wrong?