Here's a summary of what I'm trying to do:
Find a job by ID
Use the start/end time of that job to bound a search for system performance metrics
chart the results
This is a search that finds the job and brings back the performance results in the jobs time window:
sourcetype=joblog jobID=693 starttime="06/14/2013:00:00:00" endtime="06/17/2013:00:00:00" | map search="search eventtype=windows_performance Host=ZSN* object=Processor counter=%\ Processor\ Time instance=_Total timeformat=\"%m/%d/%Y %H:%M:%S %p\" starttime=$startTime$ endtime=$endTime$"
example result:
06/15/2013 13:46:12.646
collection=CPUTime
object=Processor
counter="% Processor Time"
instance=_Total
Value=3.2852405007373298
But when I try to timechart it like:
| timechart span=15s max(Value)
The timechart has the outer start/end time and does not contain any results. Any suggestions on how to create this type of chart?
... View more