This will not give the desired result.
Separately for each period I did, but I do not know how to combine these three requests into one.
3 days ago
... EventCode="" | WHERE _time >= relative_time(now(), "-2d@d") AND _time <= relative_time(now(), "-1d@d")| stats count by EventCode
2 days ago
... EventCode="" | WHERE _time >= relative_time(now(), "-1d@d") AND _time <= relative_time(now(), "-0d@d")| stats count by EventCode
1 days ago
... EventCode="*" | WHERE _time >= relative_time(now(), "-0d@d") AND _time <= now() | stats count by EventCode
or so
... EventCode="" earliest=-2d@d latest=-1d@d | stats count by EventCode | rename count as dt3
... EventCode="" earliest=-1d@d latest=-0d@d | stats count by EventCode | rename count as dt2
... EventCode="*" earliest=-0d@d | stats count by EventCode | rename count as dt1
I tried to connect, but it does not work correctly:
source="WinEventLog:Security" EventCode="" earliest=-2d@d latest=-1d@d | stats count by EventCode | rename count as dt3 | appendcols [ search source="WinEventLog:Security" EventCode="" earliest=-1d@d latest=-0d@d | stats count by EventCode | rename count as dt2] | appendcols [ search source="WinEventLog:Security" EventCode="*" earliest=-0d@d | stats count by EventCode | rename count as dt1]
... View more