I was refining an existing search/dashboard panel when I discovered that my hosts do not reliably follow a pattern. What these hosts do have in common is the presence of a sourcetype unrelated to the data in the search.
Existing Search:
eventtype=winperformance host=myhostpattern object=logicaldisk .....
This search works nicely, but excludes hosts which do not follow the pattern. I would like to replace host=myhostpattern with something that will search for:
sourcetype=mysource |dedup host
and use this to create the host list to use.
I have considered using an inputlookup/outputlookup, but thought there would be a better option.
... View more