I've got a search I'm using in a dashboard panel that uses the bin command to group time in 10 minute intervals. The search is below:
sourcetype=snmpget_hardware_utilization_data | eval cpu_warn = 70 | eval hdd_warn = 80 | eval mem_warn = 80 |
eval RAM_Utilization = 100 * ( RAM_Total - RAM_Available ) / RAM_Total | eval CPU_Utilization = 100.0 - CPU_Idle |
where CPU_Utilization > cpu_warn OR RAM_Utilization > mem_warn OR HDD_Utilization > hdd_warn | bin _time span=10m |
stats min(CPU_Utilization) as CPU_Utilization, max(HDD_Utilization) as HDD_Utilization, min(RAM_Utilization) as RAM_Utilization by _time, host | sort -_time
The Dashboard panel looks like this:
![alt text][1]
By default, if the user tries to click on a table row, the search returns nothing because it just narrows the time of the search to the _time of table row, and most likely no events occurred in that particular millisecond. I'm trying to make the dashboard drill down to the events surrounding the time and host in the row. In my case, the data comes in every 1 minute, so because I'm using 10 minute bins, a search window of the surrounding 20 minutes would be ideal. I can't find a way to do that, though, so I'm wondering if anyone else has gotten this kind of thing working.
So far I have a drilldown that just looks at the host's data up to the time clicked on, and it looks like that's the best I can do. Drilldown below:
$earliest$ $latest$
↧