Re: Synchronize between 2 sourcetypes over a time

hiteshkanchan · ‎06-20-2012

There is one query that I am trying to execute, which gives the CPU and Memory Usage. But there is no sync in the time as shown in the attachment. i.e. The CPU and Memory usage are getting calculated at different times. Is there any way I can get both the parameter values at the same time.

sourcetype="WMI:CPUTime" OR sourcetype="WMI:Memory" earliest=-30m | table _time, PercentProcessorTime, PercentUserTime, AvailableMBytes, PercentCommittedBytesInUse

The output is coming at different times for both the sourcetypes. Is there any wany I can get both outputs at the same time?

hiteshkanchan · ‎06-26-2012

The above can be done by specifying a span=30s.
There is another search which look something like this,

sourcetype="WMI:PerfCPU" host="10..." earliest=-30m | append [search host="test_iis_data" source="\\10...\file1.log" earliest==-30m | eval Time_Taken=(Time_Taken/1000) | search Time_Taken>0] | timechart avg(Time_Taken) as AvgTime avg(PercentCommittedBytesInUse) as AvgProcTime

Here the output comes only for one field at a time(but not for both AvgTime and AvgProcTime).
Is there any way I can get both?

Synchronize between 2 sourcetypes over a time

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...