How can I do Three search in the same query, but the results separate for a week (the results of last 4 weeks), and the result of the three search do a operation math for a final result.
///////////////////////////
This is my query:
index="main_alarms"
| search entity_name ="*"
| dedup alarm_id, source
| where _time>relative_time(now(),"-4w@w")
| bin _time span=1w
| stats count as eventcount by _time
| rename eventcount as "TotalAlerts"
| append [ search index="main_alarms"
| dedup alarm_id, source
| search entity_name ="*"
| search alarm_rule="*"
| where _time>relative_time(now(),"-4w@w")
| bin _time span=1w
| where alarm_status_desc = "Closed: False Alarm"
| stats count as alarm_status_desc by _time
| rename alarm_status_desc as "AlertsFalse"]
| append [search index="main_alarms"
| dedup alarm_id, source
| search entity_name ="*"
| dedup alarm_id, source
| search alarm_status_desc="*" alarm_rule="*" ActionStatus=*
| where _time>relative_time(now(),"-4w@w")
| bin _time span=1w
| stats count as eventcount1 by _time
| rename eventcount1 as "AlertsSmart"]
| table "TotalAlerts" "AlertsFalse" "AlertsSmart"
/////////////////////////////////////////////////////////////////////
But this is the result
//////////////////////////////////////////
How can I get the result to be in the same row and then do the difference of the week?
| eval Diff=(("TotalAlerts")-("AlertsFalse"+"AlertsSmart"))
- The same index in the 3 searchs
- The last 4 weeks
- Diference =(A-(B+C))
- Chart the Columns A B C Diference
Thak you ITWhisperer
Thak you ITWhisperer
I Add this 3 lines in my Query, and the result successfully, thank you so much
| stats values(*) as * by _time
| eval Diff=((AlertsTotals)-(AlertsSmart+AlertsFalse))
| table AlertsTotals AlertsFalse AlertsSmart Diff
