Hello there,
Step1:
user software_name dc_today dc_past
A XYZ.exe 1 9
B PQR.exe 2 3
C DTA.exe 0 1
The final result should be:
user software_name dc_today
A XYZ.exe 1
My method:
index=* _index_earliest=-1d |stats dc(user) as dc by software_name |eval dc_today=if(dc=1, 1, 0)
|append [search index=* _index_earliest=-5d |stats dc(user) as dc by software_name |eval dc_past=if(dc=1,1,0)]
|table user software_name dc_today dc_past
So I am running two similar searches with differences in timespan.
1) Append is not reflecting the sub-search
2) Is there more efficient way for this?
Thanks in advance!
KanJ
... View more