Hi,
I use the search below in order to display the model of a host for only the host which has a Wear_Rate>0
But the Model field is empty.
Could you help me to display the model for all the machines which have a Wear_Rate>0 please??
eventtype=Charge AND (NOT host=E* AND NOT host=I*)
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host
| eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval Wear_Rate = 100-(FullChargedCapacity *100/DesignedCapacity)
| where Wear_Rate >0
| dedup host
| join type="outer"
[ search index="x" sourcetype="x"
| rex "Model=(?<model>.*)"
| stats values(model) as Model by host
]
One basic observation is, you missed to mention the field on which you want to join, see below:
| join type="outer" host
try this and let me know if it worked
One basic observation is, you missed to mention the field on which you want to join, see below:
| join type="outer" host
try this and let me know if it worked
yes thanks