Ok, So I have two searches that work great. One will find computers with slow ping times. The other will create a chart of the ping times based on one host name. I would like somehow combine these two search's, but not sure how to do it. I would like my end result to be a chart that shows all the computers with slow ping times on one chart that plots there ping times.
Here is a search I use to grab the computers I would like to chart.
sourcetype="search1" earliest=-15m | where internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host,Count
And here is the chart I use to for one computer.
sourcetype="search1" host=$desktop$ | timechart avg(internal_time) as "Ping Time"
↧