Hi, Long time reader, first time poster. I've cobbled together this query that generates a count by status for last week, and the week before, I would like to add a PercentageChange Column.
index="my_index" container_label=my_notables container_update_time!=null earliest=-14d@w0 latest=@w0 | fields id, status, container_update_time | eval Time=strftime(_time,"%m/%d/%Y %l:%M:%S %p") | eval container_update_time_epoch = strptime(container_update_time, "%FT%T.%5N%Z") | sort 0 -container_update_time | dedup id | eval status=case((status="dismissed"), "Dismissed (FP)",(status="resolved"), "Resolved (TP)",true(), "Other") | eval marker=if(relative_time(now(),"-7d@w0")<container_update_time_epoch,"WeekReporting", "PriorWeek") | eval _time=if(relative_time(now(),"-7d@w0")<container_update_time,container_update_time_epoch, container_update_time_epoch+60*60*24*7) | chart count by status marker
I know I need to incorporate the following eval somehow, just not sure how to tie it all together to get it to show up in the format shown above.
| eval PercentChange= if(PriorWeek!=0,(WeekReporting-PriorWeek)/PriorWeek*100,WeekReporting*100)
I'll be honest I'm not sure If I still need the final eval, so any other suggestions that will make this more efficient I'll gladly accept. I appreciate any and all tips or help to make this work. Cheers, Michael
... View more