The purpose of the query is to identify those events that occurred after 10/14/2017 01:00:00 that had not occurred in the 30 days prior to 10/13/2017 22:00:00. Not sure how to display this, any ideas?
This is what i have to work with-
earliest=-30d@d latest=@m sourcetype=Apps (Hosted="A" OR Hosted="b" OR Hosted="c" OR Hosted="d" OR Hosted="e" OR Hosted="f" OR Hosted="g") AND sub_origin="*ONLINE*" AND (_time < strptime("2017-10-13 22:00", "%F %H:%M") OR _time > strptime("2017-10-14 01:00", "%F %H:%M"))
| rex "msg\=\'(?(.{22}))"
| eval older_than_X = if( _time < (strptime("2017-10-13 22:00", "%F %H:%M")),1,0)
| stats max(older_than_X) as older_than_X, count by program_error, err_transaction, first22char
| search older_than_X=0
| table count, program_error, err_transaction, first22char
| rex mode=sed field="program_error" "s/\'//g"
| rex mode=sed field="err_transaction" "s/\'//g"
↧