Hello everyone,
The time modifiers don't seem seem to work for this search, am I doing something wrong?
|union
[search query.. earliest=-15m@m latest=now
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total1]
[search query.. earliest=-15m latest=now
|join type=inner x[query..]
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total2]
[search query.. earliest=-1d-15m@m latest=-1d
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total3]
[search query.. earliest=-1d-15m@m latest=-1d
join type=inner x[query..]
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total4]
|stats sum(total1) as eval1, sum(total2) as eval2, sum(total3) as eval3, sum(total4) as eval4
|eval y1=eval1-eval2
|eval y2=eval3-eval4
|eval z1=round((y1/eval1)*100, 2)
|eval z1=round((y2/eval3)*100, 2)
|table eval1, eval2, eval3, eval4, y1, y2, z1, z2
The sub searches with time modifiers in bold do not work and results in 0s in the output table. However, if i change the bold time modifiers to earliest=-15m@m latest=now, it works fine, but give me the same result of the fisrt 2 sub searches. Unsure as to why this is happening.
... View more