Solved: How to compare the results of 2 single panel betwe...

jip31 · ‎04-27-2022

Hi

I need to compare the results of 2 single panel between 2 different dates

The first single panel concerns the results of the current day in the last 15 minutes and consists in a basic count

| stats dc(s)

In the second single panel, I need to do the same count but for one week before but also in the last 15 minutes compared to the current time

Is it possible to do such a thing?

Thanks

PickleRick · ‎04-27-2022

I showed you some techniques you can use to get results from two separate timeframes. It's up to you to stitch them together into some reasonable search 🙂

There are also some factors affecting how you'd approach to such result (for example - time alignment) so it's not that easy to give a copy-paste solution. And you might end up needing to append two separate searches to each other.

View solution in original post

PickleRick · ‎04-27-2022

You can use eval in stats to get only a subset of the events to summarize.

Run anywhere example that generates 100 random numbers in range 0-99 - one for each "second ago" and counts how many different values were present more than 30 seconds ago and less that 15 seconds ago

| makeresults count=100 
| eval myval=random() % 100
| streamstats count
| eval _time=now()-count
| eventstats dc(eval(if(_time<now()-30,myval,null()))) as before_30 dc(eval(if(_time>now()-15,myval,null()))) as after_15

Here I use eventstats so you see the original data and can verify but of course you can use stats the same way.

jip31 · ‎04-27-2022

thanks but it's not exactly my need

here is what I done

with this, I retrieve the s count one week ago for every 15 minutes

`tutu` sourcetype="session" earliest=-7d@d+7h latest=-7d@d+19h  
| bin _time span=15m 
| eval time=strftime(_time,"%H:%M") 
| stats dc(s) by time

now it miss something

I need to compare the current time with the time corresponding in my search and to display the result

have you an idea please?

PickleRick · ‎04-27-2022

That was just one of the ideas you could use to make your own solution. Remember that you can use alternative of several different timespans.

For example:

index=winevents (earliest=-7d@d latest=-7d@d+2h) OR (earliest=-6d@d latest=-6d@d+2h)
| timechart span=15m dc(EventID) as dc
| where dc>0

Will give me count of unique EventIDs in each 15 minute long span but only during two separate two hours long windows.

jip31 · ‎04-27-2022

thanks

but my exact need is to be able to compare the current time with the timechart _time in order to display only the result corresponding to the current time

So I need something like this :

| eval currenttime=strftime(now(), "%d/%m/%Y %H:%M")

| eval pasttime=strftime(_time, "%d/%m/%Y %H:%M")

| eval pastcurrent=if(pasttime=currenttime, count, "")

| table count

PickleRick · ‎04-27-2022

Sorry, but that doesn't make much sense. You can't calculate stats from a week ago and compare them to a current timestamp (ok, technically you can but it's pointless). These are two different things.

jip31 · ‎04-27-2022

sorry but your search doesnt do the job i need because there is no matching with the current time

PickleRick · ‎04-27-2022

I showed you some techniques you can use to get results from two separate timeframes. It's up to you to stitch them together into some reasonable search 🙂

There are also some factors affecting how you'd approach to such result (for example - time alignment) so it's not that easy to give a copy-paste solution. And you might end up needing to append two separate searches to each other.

How to compare the results of 2 single panel between 2 different dates?

other

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!