Hi,
We have a search which gives us average CPU time by host and we want to plot a line graph to get hosts which have CPU usage greater than 25%.
Our search below is giving us results, but when we filter results like `search host>25`, it is filtering the results, but it is displaying other hosts during that time.
Ex: If we need to check CPU perc on *linux1, linux2, linux3, and we have CPU>25 for linux1 at 10 mins ago, we are getting results for other hosts as well.
Results we are getting like below, but we are looking only for >25 (linux1 here below)
_time linux1 linux2 linux3
10.00 27 16 17
10.10 30 18 20
Search:
index=idx1 sourcetype=cpu host=linux1* OR host=linux2* OR host=linux3* all | rex field=host "(?P[^.]+)" | eval hostname=lower(hostname) `linux_hostname` | eval linuxCPU=100 - pctIdle | timechart span=10m avg(linuxCPU) as cpu by hostname useother=f limit=0
|search linux3>25 OR linux2>25 OR linux1 >25
We should results like
_time linux1
10.00 27
10.10 25
↧