Ok, If I understand your objective correctly you would like to display CPU usage as percentage regardless of if the system is Win or *Nix. I am also assuming that you only want pctIdle where pctUser equals all. My first step would be to normallize the data. Since it looks like you have multivalued fields for you *Nix event I would uses mvindex to return single or subset.
I assuem that this base search returns your events for both systems.
host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime)
This section tries to turn pctIdle into a percent and adds it to the field PercentProcessorTime just like the pre-existing field in Win data. I use mvindex to return the first value 0 in the multivalued field called pctIdle. Then I perform the math.
... |eval PercentProcessorTime=(100-mvindex(pctIdle,0))
Then I uses the field command to verify the values by host. I should see values for both *Nix and Win systems now in the PercentProcessorTime. Fields command is a great way to table and verify your data.
...|fields _time host, PercentProcessorTime
If everthing looks good I then peform a timechart command.
Example search:
host="CARDS_QA_*" (sourcetype=cpu OR source=WMI:CPUTime) |eval PercentProcessorTime=(100-mvindex(pctIdle,0))|fields _time host, PercentProcessorTime| timechart span=5m avg(PercentProcessorTime) as Percent_CPU_Load by host
You may need to play with a bit to get the intended results. Another option would be to sperate your seaches and use join. linux_cpu_seach | fields _time,y,z |join _time[search win_cpu_serch|fields _time,y,z] |timechart ...
I hope this helps or gets you started. Dont forget to accept or thumbs up answer. Cheers
Additional reading:
Parsemultivaluefields
CommonEvalFunctions
... View more