thank you ! i tried but found below error.. would you help ?

The 'today' function is unsupported or undefined 

My explanation was not clear. What i want was to display All dest IP result on first week then display IP not shown on first week as a second week result, then 3rd week, 4th week and so on...   

Hi @balzac13dark,

sorry I was confused, the function is now(), please try this:

index=your_index earliest=-14d@d latest=@d
| eval week=if(now()-_time<604400,"Second Week","First Week")
| stats dc(week) AS dc_week values(week) AS week BY dest
| eval week=if(dc_week=2,"Both Weeks", if(week="Second Week","Only Second Week","Only First Week"))
| table dest week

With this search you monitor the last two weeks events and you know if a dest is present only in the first wee, only in the secondo or both.

Ciao.

Giuseppe

@gcusello 
thank you so much !! it's working fine now. i could get results on last week & this week.

but if you could help me more below, it'd be highly appreciated.

* obtain day by day IP address difference reports for next 3month.

e.g.

day#1 result : IP a), b), c)  -> IP a), b), c) are displayed

day#2 result : IP a), b), c),  d)  -> Only different than day#1 "IP d)" is displayed 

day#3 result :  IP a), b), d), e)  -> Only different than day#1 & day#2 "IP e)" is displayed

day#4 result :  IP  b), d), e), f)   -> Only different than day#1, day#2 & day#3  "IP f)" is displayed

and day#5, 6, 7 and so on...

Ha! So that's the answer to my initial question.

You want only "incremental differences", not the "baseline differences". I'd go for something like this:

<your search>
| bin _time span=1d (or whatever you need)
| stats earliest(_time) as _time by ip
| stats values(ip) by _time
| sort _time

Hi @balzac13dark,

godd for you that the last answer was the right one!

about the new question, for the next time, please, open a new different question!

Anyway, let mew understand: you want to know the new IPs for each day respect the previous days, is it correct?

only one question: you spoke about three months as time priod, but probablt these thre months are the last three monts from the present day, is it correct?

In other words today, you count from the 7th of november, tomorrow from the 8th of november and so on, is it correct?

In this case, the only approach that I can think is to use a summary index:

you should schedule a search like my previous answer that runs every night ans saves results in a summary index, something like this:

index=your_index earliest=-90d@d latest=@d
| bin _time span=1d
| eval day=if(now()-_time<90000,"New","Already Present")
| stats dc(day) AS dc_day values(day) AS day values(_time) AS _time BY IP
| eval day=if(dc_day=2,"Always Present", if(day="New","New","Only Previous"))
| mvexpand _time
| table IP day _time
| collect index=summary_statistics

Then you could run a search on the summary index:

index=summary_statistics
| eval day=if(now()-_time<90000,"New","Already Present")
| table IP status

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

But what if you wanted to extend this to more weeks? 🙂