I understand how to search using the time range picker, or by adding "earliest" and "latest" in the primary search-command.
However, I would like to run eventstats across my entire dataset (to identify events occuring only once) and the pick out only those occuring within a specific timeframe. I have tried adding something like this after my eventstats-command:
| search earliest=<...> latest=<...>
however, this doesn't work. I have been able to achieve what I want by adding:
| where antall=1 AND _time<strptime("2015-12-01", "%F") AND _time>strptime("2015-11-01", "%F")
but this is just a work-around and I don't get any of the functionality for relative times or aligning.
Am I missing something? Is this supposed to work? Is there any other way?
Some more details on what I try to achieve:
My log shows users (identified by USER) looking up records (identified by ID)
I want to find the records which has only been looked up by one user across the entire dataset.
This can be done by:
<search command> | stats dc(USER) as cnt by ID | where cnt=1
or if I want to see the original log-events:
<search command> | eventstats dc(USER) as cnt by ID | where cnt=1
Now, If one record is accessed by user A in january and user B in march, cnt will be 2 for this record if I compute across the whole dataset. However, it will be 1 if I compute against just january data or just march data.
Now, my march data looks strange, so I want to look at only events happening during march, but I need the stats to be counted across the whole dataset as I don't want records looked at by other users in other months included. So I need the date-filter to be later than eventstats in the search pipeline.
... View more