So I'm working on a search that returns standard network stuff and using a `bin` to bucket the data by a day. Something like this:
base search earliest=-7d | bin _time span=1d as window | stats count(dest) as destination values(this) as this values(that) as that by ip window | where destination > 2
So this works but what I'm really interested in seeing are those ip values that exist in more than one window `bin`. I can't think of a way to break it down from what has effectively been the end of the search up to this point. Any ideas?
↧