The idea is to show up top 3 CPU Averages in a day for last 7 days.
Query Using:-
index=os sourcetype=ps host="Host1"
| timechart span=1h avg(pctCPU) as Avg_pctCPU
Here, I want to first sort the result and then using the limit command filter only top 3 results with maximum value for each day and then if i run the search for last 7 days then it should do the same thing and should give me the 21 results,
Top 3 results each day * 7 days. == Total 21 results
Thanks in advance
Hi @tarunmalhotra792,
Try this:
index=os sourcetype=ps host="Host1"
| timechart span=1h avg(pctCPU) as Avg_pctCPU
| bin _time span=1d
| top 3 Avg_pctCPU by _time
Hi @tarunmalhotra792,
Try this:
index=os sourcetype=ps host="Host1"
| timechart span=1h avg(pctCPU) as Avg_pctCPU
| bin _time span=1d
| top 3 Avg_pctCPU by _time
Thanks, It worked