Hello Team,
I want to compare total count of last 7 days to the total count of 7 days before that in a single value with trend. For example, (suppose today is 15th), if the total count from 9th to 15th is 120 and total count from 1st to 8th was 50. I want to compare this and have a single value with Arrow.
I hope you have got my point. Le t me know if you need some more information
Regards
It definitely should work; it works for me (you don't need the fields
part so just drop it):
earliest=-14d@d latest=@d-1s index=_internal
| timechart span=7d count
Thanks Woodcock. It would work but if count is zero it won't show for that week/hour/day.
Did you see a zero in your count in the results?
Yes, even when I drop the previous week's events like this:
earliest=-14d@d latest=@d-1s index=_internal
| where _time > relative_time(now(), "-1d@d")
| timechart span=7d count
Strange, doesn't work for me....
I am on v6.6.0.
would you want the single value to be 120, then and just an arrow pointing up?
try something like this for a date range of the 1st through 14th:
|timechart span=7d count
if you only want the arrow, don't show the sparkline. it would just be two points anyways with just two weeks.
Hi Cmerriman,
Thanks for your response.
I managed to create a search but it is not giving me the result as expected. see below:
MY SEARCH:
earliest=-14d@d latest=@d-1s index=myindex sourcetype=mysourcetype status=success | timechart span=7d count | fields count
I'm getting the result as:
count _time
25 2017-06-09
What I'm expecting is:
count _time
0 2017-06-02
25 2017-06-09
I think the problem is if the total of the count during the week from 2nd to 8th is 0 (Zero) is doesn't provide the result for that week. Any clues how we can make that appear in the result?
that is bizarre. i'm running a similar query on my own data. i limited a dataset so that i only had data coming back from 6/11-6/14. i ran .... earliest=-14d@d latest=@d-1s| timechart span=7d count | fields count
and got back
count _time
0 2017-06-02
17864 2017-06-09
I'm on version 6.5.1, is that the version you are on?
It all works fine for me on v6.6.0.