When running this command: "low_seq=" "source_session_id" "-1177" | stats by _time,source_session_id,low_seq | delta low_seq as d | where d<0 | table _time, source_session_id, low_seq, d I get what I want for one source_session_id:
_time source_session_id low_seq d
1:00:01 PM -1177 0 -4584
However, I have multiple source_session_id, so without "-1177", the search does not work: "low_seq=" "source_session_id" | stats by _time,source_session_id,low_seq | delta low_seq as d |table _time, source_session_id, low_seq, d .
How do I make it work so it finds all source_session_id where d<0?
I tried this: "low_seq=" "source_session_id" | stats values(low_seq) by source_session_id . it groups nicely for all source_session_id but I could not make it work with delta with stats(values) to get d<0,
Thank you.
... View more