I'm trying to add the appearance of a certain value in my base search count. the value is "detatched". it is written in an event, when a certain license has been used. this detatched license has a lifespan of 14 days, afterwards it's not active anymore and I don't need to add this to my base search anymore.
I know this query is partlially stupid but what I want to show is what I'm trying to accomplish. Example: Today I have a licence count of the product 5000 of 5, 14 days ago I had a count of 1, therefore today it should show me 6. tomorrow, this count of 1 shouldn't be added anymore, cause it's more than 14 days old and not active anymore. this should be seen - ideally - in a timechart.
Hope someone can make sense of this . Much appreciate any help or feedback, cause, maybe it's not possible to do so in splunk.
after further discussion I think the best way of putting it is the following:
I need a maximum of a value of a certain attribute at a specific day as basecount and then looks back 14 days (related to this specific day) and counts the occurance of events which contain the word "detatched" and add this as a count to the basecount.
this would be the view for a specific day. after this I'd need this view, but for a timewindow of for example 7 days (sliding timewindow).
It's the best way of finally putting it. I hope you get what I mean. 🙂 I'm sorry that I switched back and forth with the explanation but as you can see it's not an easy way of describing it.