I think I figured it out, could someone validate if this is the most efficient way to do this:
sourcetype="ps" | eval processexists=if(match(_raw, "SOME_UNIQUE_PROCESS_NAME"), 1, 0) | timechart span=1m avg(processexists) by host
As long as you know you're going to get more than one event from ps within the span of 1 minute it should work. The only thing that could get dodgy is it'll drop down to 0.5 between going from 1 and 0 if you are sampling every 30 seconds.
... View more