Okay gonna need a little more help here lol. I do understand the cluster command but not quite sure how to get it to work with the above filter to identify what looks like new errors Below is what i have so far
index="log4net" AND level="ERROR" earliest=-60d@d
| cluster showcount=t labelonly=t
| table cluster_label cluster_count message
| eval lastMonth=if(_time < relative_time(now(), "-30d@d"), 1, 0)
| eval thisMonth=if(_time >= relative_time(now(), "-30d@d"), 1, 0)
| stats values(lastMonth) as "last" values(thisMonth) as "this" by message
| eval myCount = mvcount(this)
| search this=1 AND last=0 AND myCount < 2
| table last, this, message
... View more