Hi,
I know this has been done to death several times, but my take on the issue is slightly different.
I have the following search that works.
index=platform_logs sourcetype=UpdateLog earliest=@d latest=now "Download completed successfully" | eval ReportKey="Today" | append [search index=platform_logs sourcetype=UpdateLog earliest=-1d@d latest=-1d "Download completed successfully" | eval ReportKey="Yesterday"] | stats count by ReportKey
It gives me a nice table showing the number of successful downloads "today" compared to "yesterday" at the time the search is run. This way I can see if these particular downloads are tracking correctly.
However,
If I configure this search as a dashboard it seems to hard code the earliest and latest within the code and it only every displays me the result for "Today"
I saved this as a dashboard so I could pull the code out for another app I am writing and the logic was as follows:
<table>
<title>Feed Download : Today vs Yesterday</title>
<searchString>index=platform_logs sourcetype=UpdateLog earliest=@d latest=now "Download completed successfully" | eval ReportKey="Today" | append [search index=platform_logs sourcetype=UpdateLog earliest=-1d@d latest=-1d "Download completed successfully" | eval ReportKey="Yesterday"] | stats count by ReportKey</searchString>
<earliestTime>1393758000</earliestTime>
<latestTime>1393844400</latestTime>
</table>
The dashboard works ... but if I pull the code into a different app/dashboard it doesn't.
If I replace the
My other option would be to split these into two different dashboard elements, but then I would not be able to do any further logic of alerting if there is a difference between the two results
Cheers,
C.
Your search is always giving you today's results because it contains fixed earliest=@d latest=now
time modifiers.
That's weird - what happens when you remove the append
like so?
index=platform_logs sourcetype=UpdateLog earliest=-d@d latest=now "Download completed successfully" | timechart span=1d count
You'll get two counts, split into today and yesterday.
Also, your latest
in the subsearch probably should have been @d rather than -1d.
The search is two searches joined together using append, both with their own time ranges, also the search works when it is run from the search app and when it is run from its own dashboard. If I copy the dashboard code out and into another dashboard then I only see results for "today".