i want to verify if there is a difference in 2 counts made that relate to diferent timelines.
This is what i've came up with
index="tenablesc" sourcetype="tenable:sc:assets"
| dedup ip
| stats count(ip) as "Number of machines Detected(All time)"
| append
[ search index="teenablesc" sourcetype="tenable:sc:assets" earliest=-14d
| dedup ip
| stats count(ip) as "Number of machines Detected(Past 14 days)" ]
and the output is the following:
I would like to put both on the same line, or even if possible just have one field that is the difference between both values
Thank you for any help you can provide
I kinda dumb just use a join instead of an append.
I wont delete the question because it might be usefull to others
instead of doing a | dedup ip | stats count(ip)...
you can just do | stats dc(ip) as ...
It's faster, and simpler
I kinda dumb just use a join instead of an append.
I wont delete the question because it might be usefull to others
explore the use of wimewrap!
Ciao.
Giuseppe