Hi
Now I need to show the current count and the count five minutes ago in one row. The current count search is:
index=app host="xxxx" sourcetype=xxx status>399 route =* earliest=-15m@m latest=@m| bucket span=5m _time
| stats count as current_count by _time route
And the respected result is like this:
How can I do it?
Try this
index=app host="xxxx" sourcetype=xxx status>399 route =* earliest=-15m@m latest=@m| bucket span=5m _time
| stats count as current_count by _time route | streamstats current=f window=1 values(current_count) as previous_count by route