Hi. I am trying to understand how I can list new referrers (hostnames) :
rex field=headers.Referer "^https?://(www.)?(?
compared to yesterday. That means, I want to list (and count) all events from a referrer that was not present yesterday. Possible?
I'm not sure whether the rex you have in the question works so I changed it. What you can do:
then you search for the ref_domains that only occur on one day and whose day matches today
Run this over the two days in question, e.g.
base search yielding some "referer" field | stats count earliest(_time) as earliesttime by referer | addinfo | where earliesttime >= relative_time(info_min_time, "+d") | fields - info* earliesttime
This counts over two days and gets you the timestamp of the earliest event. If that event is within a day from the start of the timerange, e.g. happened during the first of the two days, that referer is discarded. What remains has appeared on the second day but not on the first along with a count for that second day.