I have a search that compares the number of events for the current day, for a given combination of fields, to the daily average over the prior two weeks. The search is pretty involved and is included below for reference. The search works as intended. There may be ways to simplify the search and I'm open to such feedback, but simplifying the search is not my question. My question is...
How can I add the timestamp of the most recent occurrence for the combination of fields?
I've included two screenshots. The first screenshot shows the current results and the second screenshot illustrates the desired results.
Any advice is appreciated. Thanks
sourcetype=xxxxxxxx earliest=@w6-14d latest=@w6
| eval Prior_or_Current="Prior"
| append [search sourcetype=xxxxxxxx earliest=@d
| eval Prior_or_Current="Current"]
| eval dayOfWeek=strftime(_time, "%A")
| eval hourOfDay=strftime(_time, "%H")
| search NOT ((dayOfWeek="Friday" AND hourOfDay>=20) OR (dayOfWeek="saturday" AND hourOfDay<5) OR (dayOfWeek="sunday" AND (hourOfDay>=0 AND hourOfDay<5)))
| eval Event_Date=strftime(_time, "%F")
| rex "msg\=\'(?<msg_first22char>(.{22}))"
| eval Combined_Key=err_transaction_id.",".err_program.",".msg_first22char
| stats count by Event_Date Combined_Key Prior_or_Current
| chart avg(count) over Combined_Key by Prior_or_Current
| eval Prior=if(Prior>"",Prior,0)
| eval Current=if(Current>"",Current,0)
| eval Percent_Change=(Current-Prior)/Prior*100
| eval Percent_Change=if(Percent_Change>"",Percent_Change,if(Prior>0,-100,100))
| eval Percent_Change=round(Percent_Change,0), Prior=round(Prior,0), Current=round(Current,0)
| rename Prior as Prior_Period_Daily_Avg Current as Current_Day_Count
| eval Sort_To_The_Top=if((Prior_Period_Daily_Avg=0 OR (Percent_Change>=50 AND Prior_Period_Daily_Avg>=200) OR (Percent_Change>=100 AND Prior_Period_Daily_Avg>=50) OR (Percent_Change>=500 AND Prior_Period_Daily_Avg>=10) OR Percent_Change>=1000), 0, if(Percent_Change>-1,1,2))
| search Sort_To_The_Top=0
| rex field=Combined_Key "(?<err_transaction_id>[\w|\W]+),(?<err_program>[\w|\W]+),(?<msg_first22chars>[\w|\W]+)"
| rex mode=sed field="err_transaction_id" "s/\'//g"
| rex mode=sed field="err_program" "s/\'//g"
| sort Sort_To_The_Top -Current_Day_Count -Percent_Change -Prior_Period_Daily_Avg err_transaction_id err_program msg_first22chars
| table err_transaction_id err_program msg_first22chars Prior_Period_Daily_Avg Current_Day_Count Percent_Change
Current Results
Desired Results
... View more