Solved: How to form a trend table for events

mrigank517 · ‎05-17-2019

I want to have a search for a particular keyword say "error" being calculated from the events and the output should be in the form of table which shows the count for the particular event for last 7 days and last 30 days.

Sukisen1981 · ‎05-17-2019

append will add the sub search as a row entry, and eval works on a event row basis, so ideally you should not receive any output by using thsi query. Try this :
index=xxx error earliest=-30d@d latest=@d | stats count AS thirty_days | appendcols [ search earliest=-7d@d latest=@d | stats count AS seven_days] | eval rate=((seven_days/thirty_days)*100) |table rate

View solution in original post

Sukisen1981 · ‎05-17-2019

append will add the sub search as a row entry, and eval works on a event row basis, so ideally you should not receive any output by using thsi query. Try this :
index=xxx error earliest=-30d@d latest=@d | stats count AS thirty_days | appendcols [ search earliest=-7d@d latest=@d | stats count AS seven_days] | eval rate=((seven_days/thirty_days)*100) |table rate

richgalloway · ‎05-17-2019

What have you tried so far?

---
If this reply helps you, Karma would be appreciated.

mrigank517 · ‎05-17-2019

How to form a trend table for events

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!