Im monitoring 2 harddrive usage from a server.
This is my query :
index="perfmon7days" earliest=-60m sourcetype="WMI:LocalPhysicalDisk_DFSR" OR sourcetype="WMI:LocalPhysicalDisk_STAGING" | eval _custom=if(source=="WMI:LocalPhysicalDisk_DFSR","DFSR","STAGING") | timechart span="5m" max(PercentDiskWriteTime) as "Write" max(PercentDiskReadTime) as "Read" by _custom
So, basically, I want to have 4 Lines : Read:DFSR, Read:Staging, Write:DFSR and Write:Staging.
With this query, I only have READ Staging and Write Staging since it look like I fall in the "ELSE" everytime.
If I use this query, it work :
index="perfmon7days" earliest=-60m sourcetype="WMI:LocalPhysicalDisk_DFSR" OR sourcetype="WMI:LocalPhysicalDisk_STAGING" | eval _custom=if(source=="WMI:LocalPhysicalDisk_DFSR","DFSR","STAGING") | timechart span="5m" max(PercentDiskWriteTime) as "Write" max(PercentDiskReadTime) as "Read" by sourcetype
but I get : Read:WMI:LocalPhysicalDisk_DFSR, Read:WMI:LocalPhysicalDisk_STAGING, Write:WMI:LocalPhysicalDisk_DFSR and Write:WMI:LocalPhysicalDisk_STAGING.
This is not looking good in my timechart legend.
Thanks
Jean-Frederic
Thanks Stephano and Woodcock, both solution worked... it was in fact my source was "case sensitive"..... so, it was not working since my real source was "WMI:LocalPhysicalDisk_dfsr" 😞
Thanks, it's much appreciated !
Which answer are you going to accept now? But, since the problem was the source i think you should accept mine.
Hello! Please let me know. Did you have a source named WMI:LocalPhysicalDisk_DFSR in your events? Please take the first query and change your if (soure=.......
with if (sourcetype=....
.and let me know what happen.
Thanks!
index="perfmon7days" earliest=-60m sourcetype="WMI:LocalPhysicalDisk_DFSR" OR sourcetype="WMI:LocalPhysicalDisk_STAGING" | eval _custom=if(source=="WMI:LocalPhysicalDisk_DFSR","DFSR","STAGING") | timechart span="5m" max(PercentDiskWriteTime) as "Write" max(PercentDiskReadTime) as "Read" by sourcetype | rename *WMI:LocalPhysicalDisk_DFSR AS *DFSR | rename *WMI:LocalPhysicalDisk_Staging AS *Staging