hi david

when I add bin _time J have the message : the specifier bin_time is invalid. It must be in form (). For example : max(size)
and I want to display ten events (host) in my timechart but only the last 10 events (host)
with head 10 i have ten events but not the last.....

ohhhh, sorry! hahah it's actually bucket 😄

 index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time | head 10

as for the last 10 you can use reverse :

index="TUTU" sourcetype="perfmonmk:process" | bucket _time span=1m | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host,_time|reverse | head 10

thanks david
last question
my final search is :

index="tutu" sourcetype="perfmonmk:process" 
| where process_cpu_used_percent>80 
| bucket _time span=1m 
| stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time 
| eval process_cpu_used_percent =round(process_cpu_used_percent, 1)." %" 
| table _time host process_cpu_used_percent 
| dedup host 
| reverse 
| head 10

do you think its correct??

Looks good !

But I think you want to use your 80% filter after the stats that way it gets applied on the average, this should do :

 index="tutu" sourcetype="perfmonmk:process" 
 | bucket _time span=1m 
 | stats avg(process_cpu_used_percent) as process_cpu_used_percent by host, _time 
 | where process_cpu_used_percent>80 
 | eval process_cpu_used_percent =round(process_cpu_used_percent, 1)." %" 
 | dedup host 
 | reverse 
 | head 10

please upvote comments and accept answer if it was helpful ❤️

hi
thanks
i have done this but i dont understand how to use bin_time?
I would also like to have only the last 10 events
index="test" sourcetype="perfmonmk:process"
| timechart span=1m avg(process_cpu_used_percent) as process_cpu_used_percent by host where process_cpu_used_percent>80 limit=10
could you help me pelase??