I am trying to build a summary index to pull a week over week comparison of specific applications. The below query works normally, but for efficiency reasons I would like to place this in a summary index. I am having trouble getting the results I want displayed for the comparison in question. My results with `sitimechart` are using the date and time that the data was ingested into the Summary Index which prevents my comparison method from working.
The search results off of the summary index places events in a "NULL" column and does not follow the eval statements.
index=1 host=1234 sourcetype=sourcetype application=app earliest=-2w@w latest=@w
| eval marker = if (_time < relative_time(now(), "-1w@w"), "last week", "this week")
| eval _time = if (marker=="last week", _time + 7*24*60*60, _time)
| timechart count by marker cont=FALSE
See attached for stats table
![alt text][1]
[1]: /storage/temp/255669-results.png
↧