Hi @samjenk_2 , These are the events used to toggle health colours in Splunk's Health Report. So we get to know what are the typical values, and in which servers. index=_introspection sourcetype=splunk_resource_usage component=IOWait   ... View more

I'm pursuing a related problem in trying to build transactions between 4688 (process created) and 4689 (process terminated) events, so we can know precisely how long processes run. I'm looking into correlating these data and saving them to a summary index so they can be further correlated against other Windows logs using Process_ID, Process_Name, time, and host. Once you have results, do you plan on writing them out as distinct events (one event per process tree) in this manner? Especially for long-lived processes, I would think you'll need a way to maintain state on what child processes have been created. ... View more

Thanks again to maciep and sundareshr for their input. I've gotten a little closer on this issue, this time revisiting the notion of breaking my query into parts. I can get the behavior I want by doing the following: (1) {query for first set} | rename src_ip as first_ip | table sid,first_ip | outputlookup mylookup.csv (2) {query for second set} [| inputlookup mylookup.csv | fields sid] | lookup mylookup.csv sid OUTPUT first_ip This approach is a variation on the one I tried in my first post, but with the subsearch based on the lookup table itself, rather than running (1) as a subsearch. This allows me to make first_ip a field for every event in the second set matching on sid , with which I can then treat as any other field with stats , timechart , and the like. It'd still be nice to be able to do this in one search, though. ... View more

Were you ever able to improve the speed of this search by replacing transaction with a more efficient function, like stats or streamstats ? If so, could you share? Thanks! ... View more