Hi everyone.
I have this current search result below and I want to have another column for different dates as a desired result. Anyone knows how can I achieve this?
current result:
Job Description Time
DC_job some desc 1/09/2017 0:02
SS_job another dsc 1/09/2017 0:13
DC_job some desc 2/09/2017 0:02
SS_job another dsc 2/09/2017 1:28
DC_job some desc 3/09/2017 1:34
SS_job another dsc 3/09/2017 1:42
desired result:
Job Description Time yday otherday
DC_job some desc 1/09/2017 0:02 2/09/2017 0:02 3/09/2017 1:34
SS_job another dsc 1/09/2017 0:13 2/09/2017 1:28 3/09/2017 1:42
Hi headstrong25,
try something like this
your_search earliest=@d latest=now
| eval _time=strftime(_time,"%d/%m/%Y %H.%M.%S")
| stats values(Description) AS Description latest(_time) AS Time by Job
| append [ search
your_search earliest=-1d@d latest=@d
| eval _time=strftime(_time,"%d/%m/%Y %H.%M.%S")
| stats latest(_time) AS yesterday by Job
]
| append [ search
your_search latest=-1d@d
| eval _time=strftime(_time,"%d/%m/%Y %H.%M.%S")
| stats latest(_time) AS otherdays by Job
]
| stats values(Description) AS Description values(_time) AS Time values(_time) AS yesterday values(_time) AS otherdays by Job
using a time period greater than 2 days.
If you have more than one date for each job I took the last, to take the first use earlieste instead latest in statsa command.
Bye.
Giuseppe
Hi headstrong25,
try something like this
your_search earliest=@d latest=now
| eval _time=strftime(_time,"%d/%m/%Y %H.%M.%S")
| stats values(Description) AS Description latest(_time) AS Time by Job
| append [ search
your_search earliest=-1d@d latest=@d
| eval _time=strftime(_time,"%d/%m/%Y %H.%M.%S")
| stats latest(_time) AS yesterday by Job
]
| append [ search
your_search latest=-1d@d
| eval _time=strftime(_time,"%d/%m/%Y %H.%M.%S")
| stats latest(_time) AS otherdays by Job
]
| stats values(Description) AS Description values(_time) AS Time values(_time) AS yesterday values(_time) AS otherdays by Job
using a time period greater than 2 days.
If you have more than one date for each job I took the last, to take the first use earlieste instead latest in statsa command.
Bye.
Giuseppe
Thanks cusello. This works for me.