I want to compare total count of last 7 days to the total count of 7 days before that in a single value with trend. For example, (suppose today is 15th), if the total count from 9th to 15th is 120 and total count from 1st to 8th was 50. I want to compare this and have a single value with Arrow.
I hope you have got my point. Le t me know if you need some more information
would you want the single value to be 120, then and just an arrow pointing up?
try something like this for a date range of the 1st through 14th:
|timechart span=7d count
if you only want the arrow, don't show the sparkline. it would just be two points anyways with just two weeks.
Thanks for your response.
I managed to create a search but it is not giving me the result as expected. see below:
earliest=-14d@d latest=@d-1s index=myindex sourcetype=mysourcetype status=success | timechart span=7d count | fields count
I'm getting the result as:
count _time 25 2017-06-09
What I'm expecting is:
count _time 0 2017-06-02 25 2017-06-09
I think the problem is if the total of the count during the week from 2nd to 8th is 0 (Zero) is doesn't provide the result for that week. Any clues how we can make that appear in the result?
that is bizarre. i'm running a similar query on my own data. i limited a dataset so that i only had data coming back from 6/11-6/14. i ran
.... earliest=-14d@d latest=@d-1s| timechart span=7d count | fields count
and got back
I'm on version 6.5.1, is that the version you are on?
It definitely should work; it works for me (you don't need the
fields part so just drop it):
earliest=-14d@d latest=@d-1s index=_internal | timechart span=7d count
Thanks Woodcock. It would work but if count is zero it won't show for that week/hour/day.
Did you see a zero in your count in the results?
Yes, even when I drop the previous week's events like this:
earliest=-14d@d latest=@d-1s index=_internal | where _time > relative_time(now(), "-1d@d") | timechart span=7d count