Hello,
So every 24 hours we run daily evaluations on computers that create numerical ratings. Our daily reports display Time(of scan), ComputerID, rating value. After 24 hours, all nodes are scanned again. Some will (hopefully) have a lower numerical rating value. We would like to run a separate report showing the change in value of the numerical rating for each compuert that actually changed over the 24 hour period.
ComputerID=5 character alpha numeric
Rating value=0-100
The following query works for single instances of evaluation.
index=main sourcetype=scan host=scanner ComputerID==1234R | stats range(numerical_rating) AS "Daily Change",values AS Computers | table Computers,"Daily Changes"
Unfortunately we can not get this to evaluate properly against 200 computerIDs at one time. Is there a way to separate out the duplicate computerIDs with associated unique numerical_ratings and then get the difference of the numerical_rating reported with the associated computerID?
DOH!
Thanks!
... View more