Hello,
I am trying to write a query which results in the subtraction of $datetimepicker value events counts & $datetimepicker-1w value events count.
Query tried below does not work and gives me count1 & count2 for two diff timeframes and I can subtract and get the result.
index=app | search eventName=*** | stats count as count1
| addinfo | eval start_time=strftime(relative_time(info_min_time,"-1w"),"%m/%d/%Y:%H:%M:%S") | eval end_time=strftime(relative_time(info_max_time,"-1w"),"%m/%d/%Y:%H:%M:%S")
| append [search eventName=*** earliest=start_time latest=end_time
| stats count as count2 ]
Suggestions to use other parameters are welcome.
... View more