Thank you for your reply. I actually got it to work by just taking out the | chart max(percChange) over errorType line. When I used max(percChange) it changed the calculation.
Here is my final query:
base search... earliest=-7d@d
| eval myTime=case( _time < relative_time(now(), "-24h"), "Last_Week", _time >= relative_time(now(), "-24h"), "Today", 1=1, "Other")
| chart count over errorType by myTime
| eval percChange=round( ('Today'-('Last_Week'/7))*100/('Last_Week'/7) , 2), daily_average_lastweek=round('Last_Week'/7, 0) | table errorType daily_average_lastweek Today percChange
| sort -percChange | head 10
Could I please ask you to explain to me these two lines of code:
1) | eval myTime=case( _time < relative_time(now(), "-24h"), "Last_Week", _time >= relative_time(now(), "-24h"), "Today", 1=1, "Other")
I am a bit unsure of what relative_time means and in combination with other commands as it is written above.
2) | chart count over errorType by myTime
Here I am unsure of what "over" errorType is doing
Also, when/why should I use single quotes in eval commands?
Thank you!
... View more