|
I am trying to run a search that show's both bytes_in and bytes_rec for the network card. Here is my search - source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Sent/sec"|stats avg(Value) AS Bytes_in by host|join host[source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Recieved/sec"|stats avg(Value) AS Bytes_Rec by host]|timechart avg(Bytes_in) avg(Bytes_Rec) The error I get is Search operation 'source' is unknown. You might not have permission to run this operation. |
|
In subsearches, unlike in the "main" search pipeline, you need to explicitly state the command that should run at the start, which means you need to start off with "search", so for instance So, this should work (at least the subsearch should, I haven't looked deep into your |
|
You need to put the word "search" explicitly in your subsearch: [search source=... You could also try counter="Bytes Sent/sec" OR counter="Bytes Received/sec" and cut out the subsearch entirely. Might need to fiddle with the rest of the command some. |
|
you need to start the subsearch with "search" like below source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Sent/sec"|stats avg(Value) AS Bytes_in by host|join host[search source="Perfmon:Network Interface" host=stbackup06 counter="Bytes Recieved/sec"|stats avg(Value) AS Bytes_Rec by host]|timechart avg(Bytes_in) avg(Bytes_Rec) |
