Hi there,
I have two searches that work great independently, however, I now have a need to combine them both. The first search looks over a 30 day time frame which is what I want. The second search only looks at the last 5 mins which is also what I want. Specifically, I need the results from the second search added to the first search with respect to the differences in time frames.
The problem I seem to be running into is that the stats dc(pid) within the first search is pulling the dc of PIDs over the last 30 days which included PIDs that are not currently running and throws our numbers off. What we care about is the dc of PIDs currently running which is where the idea of putting in a hardcoded value of last 5min specifically for the PIDs came from.
Search 1 (last 30 days):
index=unix_metrics (host=y0123t322 OR host=y0123t323 OR host=y0123t324 OR host=y0123t325 OR host=y0123t326) (sourcetype=vmstat OR sourcetype=CPU OR sourcetype=ps) (CPU=all OR process="bwengine*" OR memUsedPct>=0) | eval cpu_percentage=100-pctIdle | stats avg(cpu_percentage) as "cpu_perct_used" avg(memUsedPct) as "memory_perct_used" dc(pid) as "CountofBWEngines" by host | eval Deployable=case((cpu_perct_used<=80 AND memory_perct_used <=80), "Yes",(cpu_perct_used>=80 OR memory_perct_used>=80), "No") | eval Summary="CPU: ".round(cpu_perct_used, 0)."% Memory: ".round(memory_perct_used, 0)."% (".CountofBWEngines." engines)" | table host,Deployable,Summary | sort - Deployable
Search 2 (last 5 mins):
index=unix_metrics (host=y0123t322 OR host=y0123t323 OR host=y0123t324 OR host=y0123t325 OR host=y0123t326) (sourcetype=ps) (process="bwengine*")| stats dc(pid) as "CountofBWEngines" by host
... View more