Hi Everyone,
I have a need to create a delta between the count of id today to the count of id yesterday
search: search xyz| timechart count span=1d | sort - _time | delta count AS countdiff
example result:
_time count countdiff
2014-08-26T00:00:00.000+0300 4
2014-08-25T00:00:00.000+0300 1 -3
2014-08-24T00:00:00.000+0300 0 -1
2014-08-23T00:00:00.000+0300 0 0
2014-08-22T00:00:00.000+0300 0 0
2014-08-21T00:00:00.000+0300 0 0
2014-08-20T00:00:00.000+0300 0 0
2014-08-19T00:00:00.000+0300 0 0
2014-08-18T00:00:00.000+0300 0 0
2014-08-17T00:00:00.000+0300 0 0
2014-08-16T00:00:00.000+0300 0 0
2014-08-15T00:00:00.000+0300 0 0
2014-08-14T00:00:00.000+0300 0 0
2014-08-13T00:00:00.000+0300 0 0
2014-08-12T00:00:00.000+0300 1 1
2014-08-11T00:00:00.000+0300 0 -1
using delta i was able to create the diff between today and the day before but the delta function does yesterday-today and i need it today-yesterday.
Any thoughts?
Maybe you want to remove the | sort - _time, or put is behind the diff command.
search xyz| timechart span=1min count | delta count AS countdiff | sort - _time
Cheers
Norbert
Maybe you want to remove the | sort - _time, or put is behind the diff command.
search xyz| timechart span=1min count | delta count AS countdiff | sort - _time
Cheers
Norbert
Thank Norbert!
Delta before the diff did return positive values.
Thanks again,
Naor
Hi,
What about
search xyz| timechart count span=1d | reverse | delta count AS countdiff
Regards
Derek