Hi,
I have two searches , I want to compare one with other, one search should run for "Today" and other should run for "Yesterday", so I have used earliest=@d latest=now for "Today" and
earliest=-1d@d latest=@d for "Yesterday" data, but here is one catch that it is not good to compare the data in this case because "Yesterday" is having full last 24 hours data and "Today" is having only the data till when I am running the query ( lets say 10 hours data ) , If I execute "Today" query it will be 12 hours data comparing with 24 hours data ...
So, I want to make my query as such that it should compare today's 12 hours data with yesterday's 12 hours data.
Need your help in doing that !! Please suggest me some solution.
Thanks in advance !!
Try something like this
| multisearch [search index=_internal earliest=@d latest=now | eval day="Today"]
[search index=_internal [search index=_internal earliest=@d latest=now | head 1 | addinfo | eval latest=info_max_time-86400 | eval earliest=info_min_time-86400 | table earliest, latest| format "" "" " " "" "" ""] | eval day="Yesterday"]...
This query can compare data from Today's hours (if ran at 04/03/2014 10:00 AM, then 04/03/2014 0:00 AM to 04/03/2014 10:00 AM) with exact same hour's from yesterday (04/02/2014 00:00 AM to 04/02/2014 10:00 AM).
You could use earliest=@d latest=@h
for Today and earliest=-1d@d latest=-24h@h
for Yesterday. Or earliest=@d latest=@m
for Today and earliest=-1d@d latest=-1440m@m
for Yesterday.
Hi abhayneilam,
take a look at the timewrap app which will provide a new search command to do exactly those kind of time to time compares.
cheers, MuS
Thinking a bit about this request I came up with this run everywhere command:
index=_internal ealiest=-25h@h | stats count(date_hour) as hourly_count by date_hour, date_wday
this will count all events per hour in the last 25 hours and group them per hour per day. Just adapt it to your needs, like filter the date_hour you need.