Combinning sourcetype in uberagent

I am trying to combine sourcetypes in a search but when I try I am not getting any numbers f some of the fields. below is my code. If I take out the NetworkConfigFriendlyName then the rest of the fields show but once I add in the NetworkConfigFriendlyName then only the host and this field shows. Can anyone explain why? Thanks


index=uberagent sourcetype=uberAgent:OnOffTransition:StandbyDetail2 OR sourcetype=uberAgent:System:SystemPerformanceSummary2 OR sourcetype="uberAgent:System:NetworkConfigInformation"
| stats count(TargetStateDisplayName) as "Total Events" avg(CPUUsagePercent) as "%CPU Usage" avg(IOPercentDiskTime) as "%IO Time" avg(RAMUsagePercent) as "%RAM Usage" by host,NetworkConfigFriendlyName
| rename host as "Machine Name"
| table "Machine Name" "Total Events" "%CPU Usage" "%RAM Usage" "%IO Time", NetworkConfigFriendlyName


  • 1
    Dominik Britz

    Hi Jonathan,

    I moved your post to General Discussion.

    If I understood correctly, you want to see performance data in relation to the connected network. I created a search for you. What do you think?

    | pivot `uA_DM_System_SystemPerformanceSummary` System_SystemPerformanceSummary
    avg(CPUUsagePercent) as CPUUsagePercent
    avg(RAMUsagePercent) as RAMUsagePercent
    avg(IOPercentDiskTime) as IOPercentDiskTime
    period hour
    host as "Machine name"
    | join type=outer _time "Machine name"
    | pivot `uA_DM_System_NetworkConfigInformation` System_NetworkConfigInformation
    latest(NetworkConfigFriendlyName) as NetworkConfigFriendlyName
    period hour
    host as "Machine name"
    | fields + NetworkConfigFriendlyName "Machine name" _time
    | eval "Avg. CPU usage (%)" = round(CPUUsagePercent, 1)
    | eval "Avg. RAM usage (%)" = round(RAMUsagePercent, 1)
    | eval "Avg. IO time (%)" = round(IOPercentDiskTime, 1)
    | fields - CPUUsagePercent RAMUsagePercent IOPercentDiskTime
  • 0
    Jonathan Gillman

    Yes that is perfect thanks.

Please sign in to leave a comment.