Right now, I am computing the latest value of a field per ID per each day and then I compute the sum of it. But I would like to see the difference between e.g. sum of day 2 - sum of day 1 as the range for day 2.
My search:
msgType=myMessage | reverse | bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID| timechart span=1d sum(lastSeenValue)
What I want to achieve is to find the range of field myField
per day.
I tried using range(myField)
but that will miss adding the last event of the previous day.
Any suggestions? Thanks!
Try this:
msgType=myMessage | reverse | bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID | timechart span=1d sum(lastSeenValue) AS sumLastSeenValue | streamstats current=f last(sumLastSeenValue ) AS prevSumLastSeenValue by ID | fillnull | eval delta = sumLastSeenValue - prevSumLastSeenValue
Try this:
msgType=myMessage | reverse | bucket _time span=1d | stats last(myField) AS lastSeenValue by _time ID | timechart span=1d sum(lastSeenValue) AS sumLastSeenValue | streamstats current=f last(sumLastSeenValue ) AS prevSumLastSeenValue by ID | fillnull | eval delta = sumLastSeenValue - prevSumLastSeenValue
Worked like a charm. Thanks!