I'm trying to search for multiple rule event hits in my historical data:
Date 1, Rule A, NumAlerts 15
Date 1, Rule B, NumAlerts 0
Date 1, Rule C, NumAlerts 15000
Date 2, Rule A, NumAlerts 16000
Date 2, Rule B, NumAlerts 16
Date 3, Rule C, NumAlerts 1
How would I structure a query for any given date range (Last 3 days)
Rule A - 16015
Rule B - 16
Rule C - 15001
You can use stats with a sum and a by statement. Like so:
<base_search> | stats sum(NumAlerts) by Rule
The time range you can specify using custom time, go to "relative" and use -3d@d. You can also add "earliest=-3d@d latest=now" to your
Hope this helps.
You RAWK! Woohoo!