Hi,
I have a few Windows servers which I want to correlate CPU and Memory perfromance over a time chart for each server. What is the best way to achieve this? Would I need to perform a search with a subsearch? or join two searches together?
The issue is that the field for the CPU value and Memory value is called "Value" in both events.
... | timechart span=1h avg(Value) by host, sourcetype
?
/K
switch 'sourcetype' for 'counter'. Or if you can only spliy by one field (don't remember, no splunk available right now), you can eval host + counter together like so;
... | eval hostcounter = host . counter | timechart span=1h avg(Value) by hostcounter | ...
/K
I get the the following error when I try to run that command:
Error in timechart command: The argument sourcetype is invalid.
The search is as follows:
host=server1 OR host=server2 counter="% Processor Time" OR counter="Available Bytes" | timechart span=1h avg(Value) by host,sourcetype