I have a query like below and I want to compare the result of avg1 with each day result and specify if it is normal or alert. However; this result doesn't work because avg1 is not saved to use in my sub search.
host="neb1" status="authentication failure" earliest=-30d |stats count by date_mday | stats avg(count) as avg1| append [search host="neb1" status="authentication failure" | stats count by date_hour] | eval Description=case(count<=avg1, "Normal", count>avg1, "Alert")
I would really appreciate your help.
This command you are looking for is return.
additional reading:
Hope this helps or gets you started. Dont forget to vote and accept answers that help.
This command you are looking for is return.
additional reading:
Hope this helps or gets you started. Dont forget to vote and accept answers that help.
thanks for your help.
eventstats should be appended to event after stats.
not quite sure what you trying to really accomplish. I might even use join or eventstats. I am doing this off the cuff.
host="neb1" status="authentication failure" earliest=-30d |stats count by date_hour,date_mday | eventstats avg(count) as avg1 by date_mday | eval Description=case(count<=avg1, "Normal", count>avg1, "Alert")
Hi thanks for your reply. Can you please modify my query with adding "return" as you said?