Hi sonicant,

Yes but the result of you request isn't the objective.
I want see the today's errors who have never appeared before today. And your request show all distinct errors for today.

Thank you for your help and sorry if I'm not very clear.

Regards,

Hi splunk13

You may not use "earliest=" after the pipe, please add it into the first part of your search, like this:
("SourceName=Application Popup" OR Type=Critical OR Type=Warning) host="xxxx" earliest=@d | reverse | dedup Message

Hi,
Thank you for your fast response.
I mean the today's errors who have never appeared before.
So I just need filter the result of my request to show only errors who appeared today.

Like:
("SourceName=Application Popup" OR Type=Critical OR Type=Warning) host="xxxx" | reverse | dedup Message | earliest=-1d@d

But it doesn't work.

Regards,

The dedup will remove all the events except the first one, so in your case you should remove it.

what about the list of errors per day
mysearch | timechart span=1d count by Message

Or simply a statistical count of errors with the detail of the first and last occurrence
mysearch ealiest=-1d@d | stats last(_time) as oldesttime last(_time) as recenttime count by Message | convert ctime(oldesttime) | convert ctime(recenttime)

if you mean "new errors today" and you can accept filter date at the beginning of the search command, you may add "earliest=@d" for today or "earliest=-2d@d" for today and yesterday, into the first part of search command.
Like this:
("SourceName=Application Popup" OR
Type=Critical OR Type=Warning)
host="xxxx" earliest=@d | reverse | dedup Message