Ended up going with a kludgey workaround to this answer.
- Evaluate each paring, setting the column to be equal to the current instance's command value
- Set the rows to be the current snapshot of the CPU usage
- Append a suffix string of C1-5 to ensure uniqueness (assuming only 5 entries currently, above examples only have 3
- Pull out the current epoch time from each message, use that for X
my base search | eval C1.{cmdTop1}=cpuTop1 | eval C2.{cmdTop2}=cpuTop2 | eval C3.{cmdTop3}=cpuTop3 | eval C4.{cmdTop4}=cpuTop4 | eval C5.{cmdTop5}=cpuTop5 | eval Time=strftime(epochtime, "%m/%d/%y %H:%M:%S %Z") | table Time C1* C2* C3* C4* C5*
This gives us something nice like this:
Don't think there's a better way beyond this.
... View more
