hi
I use the search below in order to display a timechart which count the number of host which are in a cpu range consumption (0 - 20, 20 -40, 40 - 60)
`CPU` earliest=-30d latest=now
| fields process_cpu_used_percent host
| eval cpu_range=case(process_cpu_used_percent>0 AND process_cpu_used_percent <=20,"0-20",
process_cpu_used_percent>20 AND process_cpu_used_percent <=40,"20-40",
process_cpu_used_percent>40 AND process_cpu_used_percent <=60,"40-60")
| timechart span=1d dc(host) as host by cpu_range
I need to changes :
1) Instead counting the number of process_cpu_used_percent by host in a cpu range, I need to count the number of the process_used_percent average by host in a cpu range
2) Is is possible to take only the evnts which are in a specific slot time? (between 8h and 17h)
thanks a lot for your help
Try something like
`CPU`
| eval hourmin = strftime(_time, "%H%M")
| where (hourmin >= 800 AND hourmin <= 1700)
| timechart span=1h avg(process_cpu_used_percent) as cpu_average by host
Try something like
`CPU`
| eval hourmin = strftime(_time, "%H%M")
| where (hourmin >= 800 AND hourmin <= 1700)
| timechart span=1h avg(process_cpu_used_percent) as cpu_average by host
Give this a try:
`CPU` earliest=-17h latest=-8h
| fields process_cpu_used_percent host
| eval cpu_range=case(process_cpu_used_percent>0 AND process_cpu_used_percent <=20,"0-20",
process_cpu_used_percent>20 AND process_cpu_used_percent <=40,"20-40",
process_cpu_used_percent>40 AND process_cpu_used_percent <=60,"40-60")
| timechart span=1h avg(process_cpu_used_percent) as cpu_average by host
Hope this helps!
earliest=-17h latest=-8h is not good because if I am doing this i have just the vents for one day instead 7 days like i need....
Side note, you would not need the | fields process_cpu_used_percent host
line. The timechart would give you the exact output you want.