I am trying to display errors from the last 24 hours that have NOT happened in the last 7 days. I only want to see the "new" errors.
When I run this search, it will compare the two time periods and only removes the errors that happened at both times. So it will display the new errors and the old ones. Any help would be greatly appreciated!
|set diff [search sourcetype=Apps (Hosted="A" OR Hosted="B") earliest=-7d@d latest=-1d@d sub_source="'C'" sub_origin="'D'" |stats count by error, msg, program |table error, msg, program] [search sourcetype=Apps (Hosted="A" OR Hosted="B") earliest=-1d@d latest=@m sub_source="'C'" sub_origin="'D'" |stats count by error, msg, program | table error, msg, program]
... View more