@bowesmana  I like this logic but could be hectic to use in my current environment. thanks.     Regards, ... View more

@bowesmana  Ok, Thanks for your reply. I understand. Appreciated for your reply. VM shouldn't be in values and combine, rest of the column's should combine if result values match, and show visualize.  I'm still looking for some alternative options here.    Regards, ... View more

@bowesmana  For more simplify it for you, split by VM and I'm looking to merge the values into one, example. I have two values as 'car' those should be into one value and in single box. as like same if the result values matches should come. | stats values(col1) values(col2) is not helping as which is combination of values coming.   Regards,  ... View more

Hi @glc_slash_it  Thanks for your reply, It is giving a combination of several fields, but duplicates are showing up. I want to get rid of duplicates where two values matches and to show up as a single result value instead of two combinations. And I want to display it by VM (in my example, VM columns will always be unique).   Regards, ... View more

thanks @PickleRick  avg(CpuUsage) worked.      ... View more

Hi @PickleRick  Do you know a trick for averaging the CPU values from the recent six events? I'm trying to produce the query below, but avg(values(CpuUsage)) isn't working.   index=* sourcetype=cpu CPU=all host=* earliest=-35m | rename "%_Idle_Time" as Percent_Idle_Time | eval CpuUsage=coalesce(100-Percent_Idle_Time,100-PercentIdleTime) | streamstats count by host | where count<=6 | stats avg(values(CpuUsage)) as "Average of CpuUsage last 6 intervals(5mins range)" by host   Regards, Satheesh       ... View more

Thank you so much @PickleRick  for your help. it's worked for my requirement now. Appreciated your time and support.  ... View more

thanks @PickleRick for helping out here.  According to the suggestion you provide below I constructed the following query shown below. However, I need to fulfill below requirements, please let me know. Q1: - How can I verify this by the host. Q2: - head 6 (each time it should check for a 5-minute range event)? Q3:- Can we able to display the results of those last 5 intervals cpu percentage values in a new column ? ex:- 86, 92, 89,45,99,90 index=* sourcetype=cpu host=* earliest=-35m | rename "%_Idle_Time" as Percent_Idle_Time | eval CpuUsage=coalesce(100-Percent_Idle_Time,100-PercentIdleTime) | head 6 | stats count(eval(CpuUsage > 85)) as count | eval result=if(count>=5,"High utilization","Normal")       ... View more

Hi @PickleRick  Yes, we have data for months, and it is sufficient and accurate, as CPU data is loading to our instance from a number of systems every 5 minutes.     ... View more

Hi @gcusello   In my situation, B values are not 100; but, for clarity, I mentioned that values are 100. So, basically, I'm going to compute the average and define the color ranges. Please let me know if there is any way we can set it by query itself along with colors.    Regards, Satheesh  ... View more

thanks @gcusello  got it now, But i need to do the below check before i changed the values to color, any query reference. please help.  if A > 80% of B, then color code A to Orange; if A > 90% of B, then color code to Red.   ... View more

your right @gcusello , Not able to see color option.    ... View more

thanks for the reply @gcusello  Unfortunately, when I click on edit the dashboard, I don't see the option called color and ranges, this seems odd, but I'm not sure. First, I have to make them % criterion and then moving on to color changing modes dependent on thresholds reached.    Regards, Satheesh  ... View more

Thankyou @ITWhisperer , it's working as expected. Appreciated your time and support     Regards Satheesh ... View more

Hi @ITWhisperer  I hope below screenshot looks more helpful for you.     Regards, Satheesh  ... View more

My apologies @ITWhisperer  I'm looking for, matching case of Patch_num in the events for each and every host that are existed in lookup list. Ex:- if lookup list is having 25 patch numbers row list and host A Patch_num resulted 24 in the events and host B resulted 25 in the events and host C resulted 20 events and so on for N number of hosts. The output match case should be with list 25 patches for each host. Domain_name   Host  patchlist   Match_case   xyz1                     ABC   Row 1 num in list  Yes/no xyz1                  ABC  Row 2 number in list Yes/no xyzN                ABC. .....RowN(like this for all the rows in the list,ex 25)      Yes/No xyz2            DEF    Row1 num in list  Yes/no xyz2           DEF.   Row1. num in list.   Yes/no xyzN          DEF.   RowN.        Yes/No xyz3.          GHI.   Row1 num in list.   Yes/No xyz3.          GHI.   Row2 num in list Yes/No   Like this, Yes/No match case with Patch_num are available in the events for each host. Each host should be having some list of patch numbers and available in Patch_num events filled. Hope this explanation helps, please let me know if required additional details. Thankyou for helping.     Regards, Satheesh     ... View more

Hi @ITWhisperer  While performing more validations, I noticed an issue. When I put host=* it's not giving accurate results, and if I remove host=* and checking with index=abc and source type=xyz also isn't giving correct results, any reason? The command is operating just fine with just one host every time, meaning each time we have to pass against with one host. index=abc and source type=xyz host=abc - working fine index=abc and source type=xyz host=* - not working index=abc and source type=xyz - not working. Kindly suggest.   Regards, Satheesh  ... View more

Thankyou for your reply @ITWhisperer  Would please share me the sample/reference syntax will be really helpful. Thankyou for understanding.     Regards Satheesh ... View more

Thankyou for your help @richgalloway  it's worked. Appreciated your help.    Regards, Satheesh ... View more

Thanks for the reply @richgalloway  When I use this | rex field=_raw "\s(?<patch_number>[^;]+);" I get no errors but which is giving only one patch set number in the patch_number field, which is 35255955. Will it be possible to find all the matched patterns separated by a comma? like below from the complete string.  The expected outcome should be like for patch_number filed is 35255955,35226999,35162846,35159582,35148842,35035861,33950717,1221417, ...etc   Regards, Satheesh ... View more