Solved: How to edit my search to find all source_value_id ...

msehic · ‎11-30-2016

When running this command: "low_seq=" "source_session_id" "-1177" | stats by _time,source_session_id,low_seq | delta low_seq as d | where d<0 | table _time, source_session_id, low_seq, d I get what I want for one source_session_id:

_time         source_session_id    low_seq  d
1:00:01 PM   -1177                 0          -4584

However, I have multiple source_session_id, so without "-1177", the search does not work: "low_seq=" "source_session_id" | stats by _time,source_session_id,low_seq | delta low_seq as d |table _time, source_session_id, low_seq, d.

How do I make it work so it finds all source_session_id where d<0?

I tried this: "low_seq=" "source_session_id" | stats values(low_seq) by source_session_id. it groups nicely for all source_session_id but I could not make it work with delta with stats(values) to get d<0,

Thank you.

msehic · ‎12-02-2016

got it.

|  table _time, source_session_id, low_seq | sort 0 source_session_id | sort 0 _time | delta low_seq as d | delta source_session_id as s | where d <0 and s=0

View solution in original post

msehic · ‎12-02-2016

got it.

|  table _time, source_session_id, low_seq | sort 0 source_session_id | sort 0 _time | delta low_seq as d | delta source_session_id as s | where d <0 and s=0

How to edit my search to find all source_value_id fields where the d value is less than zero?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

How to edit my search to find all source_value_id fields where the d value is less than zero?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...