Get values of several series during same timespan ...

gregory_cordier · ‎05-18-2020

Hi,

I built a report that list daily maximums and averages of counts per hour on several days. (difficult to put it in phrase..)
Here is the query I use:

<search string>
| bucket _time span=1h 
| stats dc(Serial) as dcSerial, dc(otherserial) as dcOtherSerial by _time 
| bucket _time span=1d 
| eval Processedtime=strptime(_time,"%s") 
| stats max(dcSerial) avg(dcSerial) max(dcOtherSerial) avg(dcOtherSerial) by Processedtime

So this query returns maximums of distinct counts of each fields, which is good.
But what I need is to return the dcOtherSerial has when dcSerial is at the maximum during the day (because I don't care about the maximum of dcOtherSerial, I want to correlate both of them).
Is it understandable ?

any thoughts?

thanks

to4kawa · ‎05-23-2020

 <search string>
 | bucket _time span=1h 
 | stats dc(Serial) as dcSerial, dc(otherserial) as dcOtherSerial by _time 
 | bucket _time span=1d 
 | eval Processedtime=strptime(_time,"%s") 
 | eventstats max(dcSerial) avg(dcSerial) max(dcOtherSerial) avg(dcOtherSerial) by Processedtime
 | where as_you_like

use eventstats not stats

Get values of several series during same timespan that the maximum of one series during a day

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...