I'm sure this has been asked before, but nothing I'm coming up with for searches against this forum have proved useful. I want to check for Windows hosts where the number of Context Switches/sec is higher than a calculated amount. That calculation needs to take into account the number of processors on the system. To get the number of processors, I found that I can run the following search: index="perfmon" sourcetype="Perfmon:CPU" instance!="_Total" | stats dc(instance) AS NumProcessors by host To get the number of Context Switches/sec, it's as easy as: index="perfmon" sourcetype="Perfmon:System" counter="Context Switches/sec" And I want to limit the events in the context switches query to where Value = 5000 * NumProcessors. I thought a subsearch might be the way, but I can't seem to get that to work. This is something like what I want, but it doesn't work because the subsearch usage is wrong. index="perfmon" sourcetype="Perfmon:System" counter="Context Switches/sec" | stats avg(Value) AS avg_cs by host | where avg_cs > (5000 * [search index="perfmon" host=$host$ sourcetype="Perfmon:CPU" instance!="_Total" | stats dc(instance) AS NumProcessors by host])
... View more