I'm using the following search and getting the following results. This search is done over 7 days.
Is there a way I can split this up and show 1 day + 7 days?
Current search:
some_search=*| stats count(some_num) as "No: Requests" by some_num, client
Current Result
some_num client No: Requests
9999999 PC 121
111111 MAC 342
Looking to get this result instead.
some_num client No: Requests (1 Day) No: Requests (7 Days)
9999999 PC 70 121
111111 MAC 102 342
Also, I tried with the following search, but I ended up with all days in a single row, which is not what I want.
Another try:
some_search=* | stats count(some_num) as "No: Requests" by some_num, client, date_mday
Hi @angersleek,
One option would be to use the append command:
index=... ... earliest=-24h latest=now
| stats count(some_num) as "No: Requests" by some_num,client
| eval Days=1
| append [search index=... ... earliest=-7d latest=now
| stats count(some_num) as "No: Requests" by some_num,client
| eval Days=7]
Alternately, try this with a time range of the last 7 days:
some_search=*
| bucket _time span=1d
| eventstats max(_time) as max_time
| stats count as count_requests_7d count(eval(_time==max_time)) as count_requests_1d by some_num, client