If you want to use compare with timeslice, don't alias timeslice. It will also work with outlier, timeslice, and transpose. Compare can only be used in aggregate searches that use operators like avg, count, pct, or sum. The compare operator allows you to compare current search results with data from a past time period for aggregate searches. logcompare is used for log signature counts (used right after the first pipe).compare is used for aggregated numeric data (such as, for analyzing results from a group by query or a query with aggregation operators such as count, sum, and avg).The compare and logcompare operators are very similar in syntax and functionality, but they handle different types of data: Then, from the Time Compare button, select Custom, and set the Custom Time Compare dialog settings to:įrom the results in the Aggregates tab, you can select the line chart icon, and display your results as:įor more compare operator examples, see Examples. Max - takes the maximum of your historical comparisons.įor example, if you wanted to compare the behavior of backfill errors onĬontinuous queries over the last seven days, use the following query:ĭo not alias timeslice as we will use the compare operator.Min - takes the minimum of your historical comparisons.Average - takes the average of your historical comparisons.Individual - displays each time comparison separately, for example, on a different line.We don't support going back further in time.Ĭompare this query to a historical timeshift. You can retrieve time-shifted data up to the last 40 days. To create a custom Time Compare, select Custom from the menu, then make your selections in the Custom Time Compare query builder dialog. The comparison results appear in a new column titled with the timeshift. Or select another timeshift comparison from the Default Time Compare Ĭlick the Time Compare button to run the default timeshift comparison of 1 day. You can also customize the prefix for a query by specifying an alias. From here, you can select a chart type to display results visually.įor example, if you were doing a comparison with yesterday, when you use the compare operator after the count operator, the aggregation table results will display the column names _count and _count_1d. Additional columns are suffixed by the timeshift (the period shifted back in time) of the queries. The first column is the field being grouped by which contains results from the present time (or the time range specified in the time range field). Each column of the output table contains results from one of the specified queries. Compare with an aggregate over multiple time periods in the past.īy default, results are displayed in the Aggregates tab on the search page in a table.Compare with multiple time periods in the past. Compare with a single time period in the past.Use the compare operator in the following ways: Identify malicious activity or attacks by comparing failed login attempts against past averages.Compare the daily active or weekly active users on your website for strategic business insights.Track the root cause of a production issue quickly by tracking specific keywords, such as memory exceptions, and comparing them with historic data to find any anomalous trends.Evaluate the performance metrics of a website, such as the latency or the number of exceptions, before and after a deployment.The Time Compare button uses the compare operator automatically in a query with a click. The Time Compare button becomes available in the Aggregates tab when you run an aggregate search, and allows you to run a compare operation automatically from your search results.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |