Hey I'm trying to extract the values from _time to new fields (Year, Month, Day), in order to compare average of events during current month to last 3 months, but it seems like they do not get any value. here is my search: 'soc_events' | search * Rule_Name="*" | eval mytime=strftime(_time, "%Y/%m/%d") | rex field=mytime "(\"?<Year>\d+)/(?<Month\d+)/(?<Day>\d+)\"" | stats count as Count by Year,Month,Day | sort Year,Month,Day | eventstats last(Month) as Current_Month last(Year) as Current_Year | where Month!=CurrentMonth OR Year!=Current_Year | stats avg(Count) as DayAveravge values(Month) as Months by Day ... View more

Hello I am trying to compare my average events in current month to previous 3 month average (per day [1,2,3...31]) based on _time For example: Considering that the current month is October (10). I am trying to compare the current count of random numbers that I have received on the 10/1 and 10/2 to the average of the counts that I have received on the 1st and 2nd of September(09) and August(08). That's how i tried to do it: `soc_events` | eval mytime=strftime(_time, "%Y/%m/%d") | table mytime | rex field=mytime "("?<Year>\d+)/(?<Month\d+)/(?<Day>\d+)")" | stats count as Count by Year,Month,Day | sort Year,Month,Day | eventstats last(Month) as Current_Month last(Year) as Current_Year | where Month!=CurrentMonth OR Year!=Current_Year | stats avg(Count) as DayAveravge values(Month) as Months by Day but it says syntax error in rex : missing terminator ... View more