Solved: How to edit search so delta command does not retur...

NaorPenso · ‎08-27-2014

Hi Everyone,
I have a need to create a delta between the count of id today to the count of id yesterday
search: search xyz| timechart count span=1d | sort - _time | delta count AS countdiff
example result:

    _time   count   countdiff
2014-08-26T00:00:00.000+0300    4   
2014-08-25T00:00:00.000+0300    1   -3
2014-08-24T00:00:00.000+0300    0   -1
2014-08-23T00:00:00.000+0300    0   0
2014-08-22T00:00:00.000+0300    0   0
2014-08-21T00:00:00.000+0300    0   0
2014-08-20T00:00:00.000+0300    0   0
2014-08-19T00:00:00.000+0300    0   0
2014-08-18T00:00:00.000+0300    0   0
2014-08-17T00:00:00.000+0300    0   0
2014-08-16T00:00:00.000+0300    0   0
2014-08-15T00:00:00.000+0300    0   0
2014-08-14T00:00:00.000+0300    0   0
2014-08-13T00:00:00.000+0300    0   0
2014-08-12T00:00:00.000+0300    1   1
2014-08-11T00:00:00.000+0300    0   -1

using delta i was able to create the diff between today and the day before but the delta function does yesterday-today and i need it today-yesterday.
Any thoughts?

norbert_hamel · ‎08-27-2014

Maybe you want to remove the | sort - _time, or put is behind the diff command.

search xyz| timechart span=1min count | delta count AS countdiff | sort - _time

Cheers
Norbert

View solution in original post

norbert_hamel · ‎08-27-2014

Maybe you want to remove the | sort - _time, or put is behind the diff command.

search xyz| timechart span=1min count | delta count AS countdiff | sort - _time

Cheers
Norbert

NaorPenso · ‎08-27-2014

Thank Norbert!
Delta before the diff did return positive values.
Thanks again,
Naor

DerekKing · ‎08-27-2014

Hi,

What about

search xyz| timechart count span=1d | reverse | delta count AS countdiff

Regards
Derek

How to edit search so delta command does not return negative results?

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023