I have a simple search which is satisfaction_date=0 OR close_date=0 AND status=8 in the previous month. I now have a requirement where users want to see (last 30 days) where those records are now tagged with a different status. The unique identifier with each record is a proposal_id.
i.e in October proposal vdutta1 had a satisfaction date as 0 and status as 8. Proposal vdutta1 now has a satisfaction date as 0 and status as 6 so this record should be shown.
Can you help?
Given that the requirement only concerns final status, I have a suspicion that your initial state is "(satisfaction_date=0 OR close_date=0) AND status=8", not "satisfaction_date=0 OR close_date=0 AND status=8". So, I'll start from this one.
(satisfaction_date = 0 OR close_date = 0) status = *
| eval month = if(_time < strptime(strftime(now(), "%Y-%m") . "-01", "%F"), "previous", "current")
| stats latest(status) as status by month proposal_id
| eval status = month . ":" . status
| stats values(status) as status by proposal_id
| where status == "prevous:0" AND NOT status == "current:0"Hope this helps. (Granted, using string manipulation for filtering is silly; there can be many other ways to do it.)
Given that the requirement only concerns final status, I have a suspicion that your initial state is "(satisfaction_date=0 OR close_date=0) AND status=8", not "satisfaction_date=0 OR close_date=0 AND status=8". So, I'll start from this one.
(satisfaction_date = 0 OR close_date = 0) status = *
| eval month = if(_time < strptime(strftime(now(), "%Y-%m") . "-01", "%F"), "previous", "current")
| stats latest(status) as status by month proposal_id
| eval status = month . ":" . status
| stats values(status) as status by proposal_id
| where status == "prevous:0" AND NOT status == "current:0"Hope this helps. (Granted, using string manipulation for filtering is silly; there can be many other ways to do it.)
Thanks @yuanliu this has worked a treat! ![]()