Hi,
What I'm attempting to do is monitor a specific set of processes on a machine. For this, I am obtaining data from WMI (where wmi_type=LocalProcesses ,) and checking how many instances of that a specific process has occurred within a specified time frame (which I choose depening on how often the data from that server gets updated.) If it is ever zero, then there is an error.
Below is a search query that I am using on a dashboard:
host=[HOST] wmi_type=LocalProcesses earliest=-5m Name="[PROCESS]" | stats count AS TimesDetected | rangemap field=TimesDetected severe=0-0 default=low
(Where [HOST] is the name of the particular machine I am checking for, and [PROCESS] is the name of the process. An example would be Server01 and CcmExec respectively.)
This works quite well, and I can add text only panels to my dashboard (within the search app) to monitor each process.
The problem with this is that, once more than a handful of processes are monitored, the dashboard get's very cluttered (since you can only have 2 panels per row, and each process takes up a panel.) I am looking for a way to display the data in a table, for only certain processes that I have specified.
In an attempt to do this, I have come up with the following query:
host=HTVMBI02 wmi_type=LocalProcesses earliest=-5m Name="System" OR "CcmExec" | stats count AS TimesDetected by Name
It works well when viewed as a table, and I can add as many processes as I want to monitor to the table. However, should the process not have any data, it will not be shown in the resulting table. I can understand why this is (there is no data for it,) but I am looking for a way to force it to say '0' for processes I've specified that it can't find data for. Is there a way to do this?
Thanks.
... View more