I am trying to combine 2 different sourcetypes same kind of event (idle CPU) into one chart. Not sure if this is possible. For instance:
sourcetype="estiw_servers-1" and "estiw_servers-2" | timechart span="5m" avg(zCPU_IDLE) by source
What will be the correct syntax?
Many thanks,
Dan
sourcetype="estiw_servers-1" OR sourcetype="estiw_servers-2" | timechart span="5m" avg(zCPU_IDLE) by source
sourcetype="estiw_servers-1" OR sourcetype="estiw_servers-2" | timechart span="5m" avg(zCPU_IDLE) by source