Update example searches

Author: jerewill-cisco

README.md

@@ -121,9 +121,13 @@ One for each sourcetype...
 
 And just a few more for fun...
 
+Here's an example where we summarize our compute inventory and demonstrate how we might extract information from the Model field of UCS Servers...
+
+`index=* sourcetype=cisco:intersight:computePhysicalSummaries | dedup Moid | chart count by Model | rex field=Model "^(?<series>.*?)[-\d]" | rex field=Model "(?<model>\w{0,4}\d{3,4}\w?)" | rex field=Model "(?<generation>M\d)" | rex field=Model "M\d(?<variant>\w+)" | rex field=Model "(?<gen_variant>M\d\w*)" | table Model count series model generation variant gen_variant`
+
 Here's an example where we join the computePhysicalSummaries and the networkElementSummaries into a combined table...
 
-`index=* sourcetype="cisco:intersight:*Summaries" | dedup Moid | eval version=coalesce(Version,Firmware) | rex field=SourceObjectType "compute\.(?<ComputeType>.*)" | eval Type=coalesce(ComputeType,SwitchType) | table source, Type, Name, Model, Serial, version`
+`index=* sourcetype=cisco:intersight:*Summaries | dedup Moid | eval version=coalesce(Version,Firmware) | rex field=SourceObjectType "compute\.(?<ComputeType>.*)" | eval Type=coalesce(ComputeType,SwitchType)| rename AlarmSummary.Critical as Criticals | rename AlarmSummary.Warning as Warnings | eval Health=case(Criticals >= 1,"Critical", Warnings >= 1,"Warning", 1=1, "Healthy") | rename RegisteredDevice.ConnectionStatus as Status | table source, Status, Health, Type, Name, Model, Serial, version`
 
 Here's an example where we join the Advisory instances to our other inventory types to provide a detailed view...