Hi Everyone,
I am doing the following search
sourcetype="a" OR sourcetype="b" OR sourcetype="c" CPU_IDLE<40 | timechart span="1m" count(CPU_IDLE) by sourcetype
I get the number separate by each sourcetype but I would like to get only one number which is the sum of all the events that matches the conditions in the sourcetypes that I am analyzing.
Any ideas how to do that?
Ideally I want to use this number to create a chart after.
Thanks,
Dan
Is there a reason why you've split the timechart by sourcetype? Because that's why it's showing you a count...per sourcetype. Just remove that and it won't.
Yes, the reason is that each source type has 10 servers so totally we have 50 servers doing the same function if I group more than 10 servers under a source type and I try to create a chart only the variables will be available. I need to see each of them so I can analyze each server as well. Thank