| count _timeslice Do not alias timeslice as we're going to use the compare operator. Compare cannot generate more than seven additional queries.Then, from the Time Compare button, select Custom, and set the Custom Time Compare dialog settings to:įrom the results in the Aggregates tab, you can select the line chart icon, and display your results as:įor more compare operator examples, see Examples. An additional query is generated whenever a comparison in time is initiated. This query compares with the past 14 days data.įor example, the following queries are not allowed: Note that multiple comparisons and aggregate comparisons will generate multiple queries.
| compare timeshift 1d 5 avg, timeshift 1w 4 It is not allowed as it generates 14 queries. This query compares with the last five days, and the same day for the last four weeks. Real time queries using time compare need to have at least three timeslices within its time range.| compare timeshift 1d 7 as last_week, timeshift 1d 7 avg as last_weekįor example, the following query is not allowed: It is not allowed as it generates 9 queries. | abs(_count - _count_7d_avg )/ _count_7d_avg as percentOver _sourceCateogy=WebserverLogs "Bad username or password" You can use the compare operator to create scheduled search email alerts.įor example, if you want to be alerted if there is a 15% spike in login failures compared to the average of the last seven days, you could use the following query: Compare can only be used once in a search query.Compare is not supported in Scheduled Views.For example, if the time range is 10 minutes, your timeslices need to be no longer than 3 minutes so that there are at least three of them.
0 kommentar(er)
