So I have a search that runs over a 4h time span that Only gives results when the number of event of one kind are as manhy as or more than the number of hours. I want to be able to run over any timespan:
search terms earliest=-4h latest=now() | ... | stats count by _raw,TimeInHour,punct|
addinfo| eval hours = round((info_max_time - info_min_time)/3600,0) | search count > 3
the search should look for results that have a count equal to the number of hours I searched over but if I write
search terms earliest=-4h latest=now() | ... | stats count by _raw,TimeInHour,punct |addinfo
| eval hours = round((info_max_time - info_min_time)/3600,0) | search count > hours-1
I get no results. Are count and hours not something I can compare, how do I change that?
rename count "AS" something else and then use that something else to compare.
...|stats count AS foobar by _time |where foobar>25
rename count "AS" something else and then use that something else to compare.
...|stats count AS foobar by _time |where foobar>25
changing search to where was all it took. Thanks!
It depends on how you're getting 'count'... Maybe this search will work for you?
search terms earliest=-4h | eventstats count | addinfo | eval hours = round((info_max_time - info_min_time)/3600,0) | where count > hours
no it's from a stats pipe I''l add that part of the search.
Is count a field in the event?
and why do u use search count > hours-1? why not where count > hours-1. And rather than round could you use "floor"?