hello
In my dashboard, I need to compare 2 single panel value between 2 different times
The first single panel stats the events on the last 15 minutes like this
| stats max(sys_session_count) as session by host
| stats sum(session) as session
| table session
Now, what I need to do is to compare this current single panel value with the results one week before during the same slot time
For example, today is the 13 of June and the current hour is 8:15 AM
So in the second single panel, I need to display result for the 6 of June at 8:15
Here is what I am doing
`index` sourcetype="system" earliest=-7d@d+7h latest=-7d@d+19h
| bin _time span=15m
| eval time=strftime(_time,"%H:%M")
| stats max(sys_session_count) as session by host time
| stats sum(session) as session by time
| eval current=now()
| bin current span=15m
| eval current=strftime(current,"%H:%M")
| where time=current
| table session time
But I think it's not good because whatever the time is (8:15, 8:30, 8:45...), the results is almot the same
So is anybody have an idea in order to answer to my need correctly?
thanks
Is anybody can help please?
OK I'll ask again. What do you mean by almost the same?
Can you give some examples of the results you are getting and explain why they are not what you expect them to be?
Please forget "almost the same"
Concerning my needs :
In a first search, I sum the number of session on the last 15 minutes like below
<dashboard refresh="60">
<label>XX</label>
<search id="session">
<query>`index` sourcetype="system"
</query>
<refresh>10s</refresh>
<refreshType>delay</refreshType>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<single>
<search base="session">
<query>| stats max(sys_session_count) as session by host
| stats sum(session) as session
| table session
Now, I need to do the same thing 7 days before the current day
So here is what I doing
`index` sourcetype="system" earliest=-7d@h latest=-7d@h+15m
| stats max(sys_session_count) as session by host
| stats sum(session) as session
| table session
But it seems that earliest=-7d@h latest=-7d@h+15m dont display events on the last 15m compared to the current time
what I exactly need in this second search is to sum the number of session 7 days ago and on the last 15 minutes only
so I am looking for the best way to do this please
Shouldn't this be
sourcetype="system" earliest=-7d@m-15m latest=-7d@m
What do you mean almost the same? Have you checked the results from 7 days ago?
Except if I am mistaken, the relative time in the search annihilate the time picker choice
Yes, setting earliest and latest as you have done means that the timepicker is not used.
So for answering your question it changes anything....