I'm having trouble using timechart for multiple hosts. Here's what I want to do:
index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes) by host | max(PercentProcessorTime) by host | timechart max(Context) by host
That doesn't work. "Fields missing" on the second two timechart commands. Changing the order shows it isn't an issue with the data. So I've tried this, and I get the error "Error in 'timechart' command: When you specify a split-by field, only single functions applied to a non-wildcarded data field are allowed."
index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes), max(Context), max(PercentProcessorTime) by host
I've also tried the following, which returns the error "Error in 'timechart' command: The argument 'max(Context)' is invalid."
index="wmi" host="hostprefix*" (wmi_type=CPUTime OR wmi_type=NET OR wmi_type=Memory) | kv | fields wmi_type,host,PercentProcessorTime,Contexts,AvailableMBytes | timechart max(AvailableMBytes) by host, max(Context) by host, max(PercentProcessorTime) by host
Why is that? I truly want to split all three items by host. I can have three different graphs, but that isn't really what I want.
... View more