Hi,

I should have said that the search is usually "server_group=*", I am just using this group because it is the offending group that is giving me problems.

I don't really understand the point of creating a lookup for this, the search already returns the servers that are being monitored.

Hi @FraserC1,

if the search returns all the group_servers you haven't any problem and don't need any add-on to you search, you have all the resuolts.

My solution is to solve the situation when some group_server is missing (and I understood that this is your problem, if I'm wrong, sorry!), but to do this you have to know the exact list of group_servers to monitor.

Ciao.

Giuseppe

Thanks, I think I get what you mean but not sure how to implement it. I will do some googling and see what I can find.

Try this:

index="automox" sourcetype="automox:devices" server_group="Windows Server Pilot"
| dedup name 
| top pending, server_group 
| appendpipe [ stats values(pending) as pending by server_group | eval count=0, percent=0, pending="false" ]
| stats sum(count) as count by pending, server_group
| eventstats sum(count) as total by server_group | eventstats sum(count) as total by server_group 
| eval percent=round(count*100/total,2) 
| fields - total
| where pending="false"
| sort -percent
| rename server_group AS "Server Group", count AS "Devices", percent AS "Patched Percent"
| table "Server Group", "Patched Percent"

This should add a "dummy" event with pending="false" for every server_group with count of 0, then add the 0 to any existing pending="false" counts, before you calculate the total for the server_group (I removed the fields - percent because that should not get past the stats, in any event you are overriding it with the eval)

Absolutely useless.

I am assuming you didn't even read the question.

Thanks for this, I tried it but it doesn't give me what I want.

I think the problem is because no events are returned because of "pending=false"