Hello all,
Search string:
index=blahblah host=blahblah
| fields host, EventCode
| stats count by host, EventCode
| sort - count
| where count > 200
I'm trying to compare the results of this search for the following dates in one report:
1-4-2018 and 1-5-2018
you can try something like this
|multisearch [search index=blahblah host=blahblah earliest=1515004200 latest=1515090600 | eval date="1/4/2018"] [search index=blahblah host=blahblah earliest=1515090600 latest=1515177000 | eval date="1/5/2018"] | fields host, EventCode
| stats count by host, EventCode date
| sort - count
| where count > 200
OR
index=blahblah host=blahblah earliest=1515004200 latest=1515177000 | bin _time span=1d
| fields host, EventCode
| stats count by host, EventCode _time
| sort - count
| where count > 200
let me know if this helps !
Answered my own question:
| timechart span=1d count by EventCode
@matthew.foos if your problem is resolved, please accept an answer to help future readers.