Ok, So I have two searches that work great. One will find computers with slow ping times. The other will create a chart of the ping times based on one host name. I would like somehow combine these two search's, but not sure how to do it. I would like my end result to be a chart that shows all the computers with slow ping times on one chart that plots there ping times.
Here is a search I use to grab the computers I would like to chart.
sourcetype="search1" earliest=-15m | where internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host,Count
And here is the chart I use to for one computer.
sourcetype="search1" host=$desktop$ | timechart avg(internal_time) as "Ping Time"
How about this?
sourcetype="search1" earliest=-60m@m | where internal_time > 250 | bin span=15m _time | stats count(internal_time) as Count avg(internal_time) as "Ping Time" by _time host | where Count > 3
Like this:
index=blah sourcetype="search1" [index=blah sourcetype="search1" earliest=-15m | where internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host] | timechart avg(internal_time) AS "Ping Time" BY host
Suggestion - it's always better to specify the index name. You can see the difference just by adding the index name to your searches.
Try this
index=yourindex sourcetype="search1" [search index=yourindex sourcetype="search1" earliest=-15m internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host] | timechart avg(internal_time) as "Ping Time" by host
Thanks for the tip! You solution also did what I was looking for. I was trying you approach at first, but could not get the syntax correct.
How about this?
sourcetype="search1" earliest=-60m@m | where internal_time > 250 | bin span=15m _time | stats count(internal_time) as Count avg(internal_time) as "Ping Time" by _time host | where Count > 3
Thanks worked great!