index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| transaction UUID keepevicted=true
| eval ReportKey="Today"
| append [search index IN (A,B) sourcetype IN (A,B) earliest=-12h-1w latest=@m-1w
| transaction UUID keepevicted=true
| eval ReportKey="LastWeek"
| eval _time=_time+60*60*24*7]
| timechart span=30m count(linecount) as Volume by ReportKey | fields _time,Today,LastWeek
as this search taking more time to load so i am trying to modify the search can you please me with this.
Thanks in advance
Veerendra
Are you sure it's append that's taking more time and not transaction? The transaction command tends to be more inefficient. Perhaps this will be a quicker way to plot volume.
index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| bin span=30m _time
```Count transactions by counting the number of unique UUID values```
| stats dc(UUID) by _time
| eval ReportKey="Today"
| append [search index IN (A,B) sourcetype IN (A,B) earliest=-12h-1w latest=@m-1w
| bin span=30m _time
| stats dc(UUID) by _time
| eval ReportKey="LastWeek"
| eval _time=_time+60*60*24*7]
| timechart span=30m count as Volume by ReportKey
But that gives me 0 count,it’s not giving me the exact results
Let's break it down a little. Does this part produce correct results?
index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m
| bin span=30m _time
| stats dc(UUID) by _time
index IN (A,B) sourcetype IN (A,B) earliest=-12h latest=@m | bin span=30m _time | stats dc(UUID) by _time
this giving exact results but when i append with but search i.e
index in (a,b) sourcetype in (a,b) earliest=-12h latest=@m
|bin span =30m _time
|stats dc(Uuid) as today by _time
|append[ |search index in (a,b) sourcetype in (a,b) earliest=-12h -1w latest=@m-1w
|eval _time=_time+60*60*24*14
|bin span =30m _time
|stats dc(Uuid) as lastweek by _time] |fields today,lastweek
In this query for today i am geeting exact output but for lastweek i am getting 0 results.
please help me out
thank you in advance
veeru
The "IN" keyword must be capitalized. Also, consider using the relative_time function instead of maths.
index IN (a,b) sourcetype in (a,b) earliest=-12h latest=@m
|bin span =30m _time
|stats dc(Uuid) as today by _time
|append[ |search index IN (a,b) sourcetype in (a,b) earliest=-12h -1w latest=@m-1w
|eval _time=relative_time(_time, "+1w")
|bin span =30m _time
|stats dc(Uuid) as lastweek by _time]
|fields today,lastweek
Till stats count(uuid) is working but i want by reportkey