Sorry for the absolutely overwhelmingly late response. So the logs are just the standard "sar" command logs from solaris, displaying "usr", "sys", "wio", "idle", "cpu". in events they show up like this "Average 15 24 0 45 55" And for the love of all that is good, I can't figure out how to structure my search query, to only display one of these values... currently my search query which i was able to display all five values with is this: Average index="name_of_index" sourcetype="name_of_source" | timechart avg(usr) avg(sys) avg(wio) avg(idle) avg(cpu) span=id Any help is much appreciated.
... View more