Here's a summary of what I'm trying to do:
- Find a job by ID
- Use the start/end time of that job to bound a search for system performance metrics
- chart the results
This is a search that finds the job and brings back the performance results in the jobs time window:
sourcetype=joblog jobID=693 starttime="06/14/2013:00:00:00" endtime="06/17/2013:00:00:00" | map search="search eventtype=windows_performance Host=ZSN* object=Processor counter=% Processor Time instance=_Total timeformat="%m/%d/%Y %H:%M:%S %p" starttime=$startTime$ endtime=$endTime$"
example result:
06/15/2013 13:46:12.646 collection=CPUTime object=Processor counter="% Processor Time" instance=_Total Value=3.2852405007373298
But when I try to timechart it like:
| timechart span=15s max(Value)
The timechart has the outer start/end time and does not contain any results. Any suggestions on how to create this type of chart?