I have about 10 Windows computers using the universal forwarder to report CPU utilization, memory, disk and network consumption to a Splunk server. I'm trying to chart the average processor time per processor over the last 24 hours. The search clearly finds records that qualify for the search set, but the chart shows no data, whether in tabular form or bar chart.
I'm trying to use
host=xyz511* object=Processor counter="% Processor Time" | chart avg(value) over host
The chart shows me the proper list of hosts, but the avg(value) has no value, yet if I look at the records list, I can see the records being used in the search set, and I can clearly see that each record has a value field with the data I want to average out.
So I must be misunderstanding something.
Note that field names are case-sensitive. (Field values are not.)
Shouldn't it be Value instead of value?
Please forgive me if this is off-the-mark, but I can't get to any Windows data at this moment to test...
ost=xyz511* object=Processor counter="% Processor Time" | chart avg(Value) over host
lguinn - That was it: it needs to be Value instead of value. Thank you.