I have a top ten search fpor windows Errors that I run each day.
My bose want to to know how many days each of the top ten have been on the top ten list
The report should look like this:
Event_ID | Num_Days_On_List | Count
256 | 5 | 256
1056 | 1 | 194
I think Summary Indexing would work for this.
Create a new index for your summary (e.g., summarytopstatus).
Create search to use the sitop command instead of top.
(sourcetype="yoursourcetype" | sitop Event_ID) with a relative timeframe of -1d@d
Edit the search to have it run on a scheduled basis. (every day at midnight)
Check 'Enable Summary Indexing'.
Select your new index.
The following should give your the results you are looking for:
index="summarytopstatus" search_name="yoursearchname" | stats count as Num_Days_On_List , sum(cvp*reserved*count) as TotalCount by Event_ID
This isn't exactly what you want, but i think it will get you close enough.
yoursearch | bucket _time span=1d as day | eval day=strftime(day, "%Y-%m-%d") | chart count over Event_ID by day
This should produce a nice table with the dates on the top. Then you can sort the counts by day by clicking on them. Run this search over a timeframe of at least 24 hours or greater. My security analysts love this search for security related events.