I am trying to compare the event count from each of my devices for the last 24 hours to the daily average of each device over the last 90days. Here is my query:
sourcetype=eventsfrommydevice | eval DEVICE_NAME=coalesce(tag,DEVICE_NAME) | stats count BY DEVICE_NAME, date_month, date_mday | stats avg(count) AS "Average_Event_Count" BY DEVICE_NAME | eval Average_Event_Count=round(Average_Alert_Count,2)
The time window is set to the last 90 days. The first eval statement is there because the device names changed during the last 90 days and throws of the average because it looks at each device name as separate, so I tagged the old device name with the new and this eval, where the device name is tagged, replaces the old name value with the value in the tag. Then I am making a daily count. The next stat averages the daily event count. The last eval just rounds the average to 2 decimal places.
I want to have another column in the results that shows the event count for the last 24 hours. Eventually I want to set a threshold to tell me when the event counts are too far above or too far below the average but I need to analyze the results first. i can accomplish both sets of aggregation separately but I can't seem to get them together. I've tried using sub-searches and various eval expressions but no-go. Any help would be appreciated.
... View more