All,
my query below just returns the values from the first sourcetype (first 3 lines in |stats). The fields from the second sourcetype seems that are not being loaded.
Any clue? I`m sure is something really simple but I can not see it:
index=uberagent (sourcetype=uberAgent:Application:SoftwareUpdateInventory host=*) OR sourcetype=uberAgent:System:SystemPerformanceSummary2
| stats
latest(DisplayName) as "Patch Name"
latest(ProductName) as "Product name"
values(State) as State
avg(CPUUsagePercent) as "CPU"
avg(RAMUsagePercent) as "RAM"
avg(IOPercentDiskTime) as "IO"
by host, InstallDate
| rename host as "Machine Name"
| mvexpand InstallDate
| mvexpand host
| eval "% of CPU" = round((CPU),2)
| eval "% of RAM" = round((CPU),2)
| eval "% of IO" = round((CPU),2)
| eval sortfield=lower(InstallDate)
| table
InstallDate
"Machine Name"
"Patch Name"
"Product name"
State
"% of CPU"
"% of RAM"
"% of IO"
sortfield
| sort limit=0 sortfield
| fields - sortfield
... View more