Hi vikas_gopal,
take a look at this run everywhere command, this will compare event count from 3 minutes ago with event count 2 minutes ago:
index=_internal earliest=-3min@min
| bucket _time span=1min
| stats last(_time) AS last_time count AS per_min_count by _time, host
| eval 2min_ago = if(last_time > exact(relative_time(now(),"-3min@min")) AND last_time <= exact(relative_time(now(),"-2min@min")) , per_min_count ,"0")
| eval current_count = if(last_time > exact(relative_time(now(),"-2min@min")) AND last_time <= exact(relative_time(now(),"-1min@min")) , per_min_count ,"0")
| stats max(last_time) AS _time, values(host) AS host, max(current_count) AS current_count, max(2min_ago) AS 2min_ago
| eval diff = '2min_ago' - 'current_count'
Hope this helps to get you started ...
cheers, MuS
Hi vikas_gopal,
take a look at this run everywhere command, this will compare event count from 3 minutes ago with event count 2 minutes ago:
index=_internal earliest=-3min@min
| bucket _time span=1min
| stats last(_time) AS last_time count AS per_min_count by _time, host
| eval 2min_ago = if(last_time > exact(relative_time(now(),"-3min@min")) AND last_time <= exact(relative_time(now(),"-2min@min")) , per_min_count ,"0")
| eval current_count = if(last_time > exact(relative_time(now(),"-2min@min")) AND last_time <= exact(relative_time(now(),"-1min@min")) , per_min_count ,"0")
| stats max(last_time) AS _time, values(host) AS host, max(current_count) AS current_count, max(2min_ago) AS 2min_ago
| eval diff = '2min_ago' - 'current_count'
Hope this helps to get you started ...
cheers, MuS
Works like magic , but things are not clear to me , like purpose of using last(_time), line 4 and 5 . Need a small celerity on these.
Those two lines (4 & 5) will count events based on the last_time
value which was set in the stats
on line 3
I get it , thanks MuS for your quick response you are awesome..;)
Thanks, you're welcome 🙂