| abs(_count - _count_7d_avg )/ _count_7d_avg as percentOver _sourceCateogy=WebserverLogs "Bad username or password" You can use the compare operator to create scheduled search email alerts.įor example, if you want to be alerted if there is a 15% spike in login failures compared to the average of the last seven days, you could use the following query: Compare can only be used once in a search query.Compare is not supported in Scheduled Views.For example, if the time range is 10 minutes, your timeslices need to be no longer than 3 minutes so that there are at least three of them. Real time queries using time compare need to have at least three timeslices within its time range.| compare timeshift 1d 7 as last_week, timeshift 1d 7 avg as last_week
![sumologic timeslice get oldest sumologic timeslice get oldest](https://docs.unlaunch.io/assets/img/sumo/custom.png)
For example, the following query is not allowed: It is not allowed as it generates 9 queries. This query compares with the last five days, and the same day for the last four weeks. | compare timeshift 1d 5 avg, timeshift 1w 4 It is not allowed as it generates 14 queries. This query compares with the past 14 days data.
![sumologic timeslice get oldest sumologic timeslice get oldest](https://i.stack.imgur.com/7JLoE.png)
For example, the following queries are not allowed: Note that multiple comparisons and aggregate comparisons will generate multiple queries. An additional query is generated whenever a comparison in time is initiated. Compare cannot generate more than seven additional queries.Then, from the Time Compare button, select Custom, and set the Custom Time Compare dialog settings to:įrom the results in the Aggregates tab, you can select the line chart icon, and display your results as:įor more compare operator examples, see Examples. | count _timeslice Do not alias timeslice as we're going to use the compare operator. Max - takes the maximum of your historical comparisons.įor example, if you wanted to compare the behavior of backfill errors on continuous queries over the last seven days, use the following query:.Min - takes the minimum of your historical comparisons.Average - takes the average of your historical comparisons.Individual - displays each time comparison separately, for example, on a different line.Compare this query to a historical timeshift.We do not support going back further in time. You can retrieve time-shifted data up to the last 40 days. To create a custom Time Compare, select Custom from the menu, then make your selections in the Custom Time Compare query builder dialog. You can also customize the prefix for a query by specifying an alias. From here, you can select a chart type to display results visually.įor example, if you were doing a comparison with yesterday, when you use the compare operator after the count operator, the aggregation table results will display the column names _count and _count_1d. Additional columns are suffixed by the timeshift (the period shifted back in time) of the queries. The first column is the field being grouped by which contains results from the present time (or the time range specified in the time range field). Each column of the output table contains results from one of the specified queries. Compare with an aggregate over multiple time periods in the past.īy default, results are displayed in the Aggregates tab on the search page in a table.Compare with multiple time periods in the past.Compare with a single time period in the past.Use the compare operator in the following ways: Identify malicious activity or attacks by comparing failed login attempts against past averages.Compare the daily active or weekly active users on your website for strategic business insights.Track the root cause of a production issue quickly by tracking specific keywords, such as memory exceptions, and comparing them with historic data to find any anomalous trends.Evaluate the performance metrics of a website, such as the latency or the number of exceptions, before and after a deployment.Compare can only be used in aggregate searches that use operators like avg, count, pct, or sum. The compare operator allows you to compare current search results with data from a past time period for aggregate searches. The Time Compare button uses the compare operator automatically in a query with a click. The Time Compare button becomes available in the Aggregates tab when you run an aggregate search, and allows you to run a compare operation automatically from your search results.