I am currently attempting to create a table that displays the count of one event from the previous month in comparison to the current month. I'm not quite sure what the best way to do this is but I've created a search with an appended search and I'm attempting to display this in a table comparing the two results from last month to this month.
Essentially what Im trying to achieve is the following:
| Event | Last Month(count) | Current Month(count) |
| Event 1 | 4323 | 435 |
| Event 2 | 564 | 23 |
Here is my base search so far..
<search 1> earliest=-1mon@mon latest=@mon> | multikv | stats count by event | eval input_type="Last_Month" | append [<search 2> earliest=@mon latest=now | multikv | stats count by event | eval input_type="Current_Month"] |
Thank you!
