Solved: Join two statistics tables without subsearch

sbarinov · ‎05-05-2021

Hi,

I am trying to compare event type count statistics for 2 days using the following search:

earliest=-48h latest=-24h | stats count as count1 by eventtype | table eventtype, count1 | join eventtype [search earliest=-24h latest=now() | stats count as count2 by eventtype | table eventtype, count2] | eval diff=(count2-count1)  | table eventtype, diff | sort diff

Is there any option to do this without using subsearch and join?

Thanks.

ITWhisperer · ‎05-05-2021

earliest=-48h latest=now()
| eval period=floor((now()-_time)/(24*60*60))
| stats count(eval(period=1)) as count1 count(eval(period=0)) as count2 by eventtype
| eval diff=count2-count1
| table eventtype diff
| sort diff

View solution in original post

ITWhisperer · ‎05-05-2021

earliest=-48h latest=now()
| eval period=floor((now()-_time)/(24*60*60))
| stats count(eval(period=1)) as count1 count(eval(period=0)) as count2 by eventtype
| eval diff=count2-count1
| table eventtype diff
| sort diff

sbarinov · ‎05-05-2021

@ITWhisperer Thank you!

Join two statistics tables without subsearch

count

join

stats

subsearch

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!