Hi - I want to display the cpu, mem statistics (avg, min, max) for a specified duration - last 4 hours, 24 hours etc.,
I am using the following search. The problem is that I'm getting different values for the same time - like for eg 6AM in the morning for both these results shows different values.
Any idea what needs correction
source=WMI:CPUTime host=* | eval CPULoad = PercentProcessorTime | timechart avg(CPULoad) min(CPULoad) max(CPULoad) minspan=10m by host | join _time [search source=WMI:memory host=* | timechart avg(AvailableMBytes) min(AvailableMBytes) max(AvailableMBytes) minspan=10m by host]
what frequency are you collecting the data on?
Why not just do one search, like so :
source=WMI:CPUTime OR source=WMI:memory | rename PercentProcessorTime as CPULoad | timechart avg(CPULoad) min(CPULoad) max(CPULoad) avg(AvailableMBytes) min(AvailableMBytes) max(AvailableMBytes) by host
When you search over different timeranges, your time windows will be different sizes, you've just specified a minimum time span - Splunk can pick a larger time span than you've specified.