When running this command: "low_seq=" "source_session_id" "-1177" | stats by _time,source_session_id,low_seq | delta low_seq as d | where d<0 | table _time, source_session_id, low_seq, d
I get what I want for one source_session_id:
_time source_session_id low_seq d
1:00:01 PM -1177 0 -4584
However, I have multiple source_session_id, so without "-1177", the search does not work: "low_seq=" "source_session_id" | stats by _time,source_session_id,low_seq | delta low_seq as d |table _time, source_session_id, low_seq, d
.
How do I make it work so it finds all source_session_id where d<0?
I tried this: "low_seq=" "source_session_id" | stats values(low_seq) by source_session_id
. it groups nicely for all source_session_id but I could not make it work with delta
with stats(values)
to get d<0,
Thank you.
got it.
| table _time, source_session_id, low_seq | sort 0 source_session_id | sort 0 _time | delta low_seq as d | delta source_session_id as s | where d <0 and s=0
got it.
| table _time, source_session_id, low_seq | sort 0 source_session_id | sort 0 _time | delta low_seq as d | delta source_session_id as s | where d <0 and s=0