In that case you can use the join command with sub searches:
sourcetype="Your Sourcetype" earliest=@w1-2w+9h latest=@w1-2w+10h | chart count as "Two Weeks Ago" by Operation | join Type=outer [search sourcetype="Your Sourcetype" earliest=@w1-1w+9h latest=@w1-1w+10h | chart count as "One Week Ago" by Operation] | join Type=outer [search sourcetype="Your Sourcetype" earliest=@w1+9h latest=@w1+10h | chart count as "This Week" by Operation] | whatever stats you'd like to do to your results
@w1 is Monday,
1w is 1 week,
2w is 2 weeks,
etc...
If you want to run this every hour as an alert, just get rid of the +9h and +10h time modifiers and set the search to run on an hourly basis and send a mail.
In that case you can use the join command with sub searches:
sourcetype="Your Sourcetype" earliest=@w1-2w+9h latest=@w1-2w+10h | chart count as "Two Weeks Ago" by Operation | join Type=outer [search sourcetype="Your Sourcetype" earliest=@w1-1w+9h latest=@w1-1w+10h | chart count as "One Week Ago" by Operation] | join Type=outer [search sourcetype="Your Sourcetype" earliest=@w1+9h latest=@w1+10h | chart count as "This Week" by Operation] | whatever stats you'd like to do to your results
@w1 is Monday,
1w is 1 week,
2w is 2 weeks,
etc...
If you want to run this every hour as an alert, just get rid of the +9h and +10h time modifiers and set the search to run on an hourly basis and send a mail.
you could use the in-built _time field instead of extracting the time field using regex. So...
....| chart count as "1wAgo" by _time |
join type=inner _time
[search.....
OR
you could use the timechart command instead of chart.
thank you
I think I really need something like this:
sourcetype=MySource operation=MyOp
earliest = -15m@m latest = -0m@m |
rex " (?P
chart count as "0wAgo" by hhmm |
join type=inner hhmm
[search
sourcetype=MySource operation=MyOp
earliest = -1w@m-15m@m latest = -1w@m |
rex " (?P
chart count as "1wAgo" by hhmm |
join type=inner hhmm
[search
sourcetype=MySource operation=MyOp
earliest = -2w@m-15m@m latest = -2w@m |
rex " (?P
chart count as "2wAgo" by hhmm
]
]
I need to put the events happened at 9-00 this monday together with the events happenned at 9-00 on monday a week ago, and also two weeks ago. And I want to do this for each time interval.