我们如何获得过去4个月的时间表我已经尝试了下面的查询,但它只为我提供了固定的过去4个月中的数据,如三月、四月、五月、六月。。8月、9月、10月和11月怎么走。。
PFB已尝试查询。。
index=foo earliest=-1mon@mon latest=-0mon@mon Technology="Sourcefire"
| timechart span=1day count AS JUN-2020
| appendcols [search index=SI earliest=-2mon@mon latest=-1mon@mon Technology="Sourcefire"
| timechart span=1day count AS MAY-2020]
| appendcols [search index=SI earliest=-3mon@mon latest=-2mon@mon Technology="Sourcefire"
| timechart span=1day count AS APR-2020]
| appendcols [search index=SI earliest=-4mon@mon latest=-3mon@mon Technology="Sourcefire"
| timechart span=1day count AS MAR-2020]
| table _time JUN-2020 MAY-2020 APR-2020 MAR-2020
你也能帮我获取最近4周的数据吗。。我试过了,但没用。。
index=Foo earliest=-1w@w1 latest=-0w@w1
| timechart span=1hour count by RuleAction
| appendcols [search index=FOO_1 | timechart span=1hour count by blocked ]
appendcols [search index=Foo earliest=-2w@w1 latest=-1w@w1
| timechart span=1hour count by RuleAction
| appendcols [search index=FOO_1
| timechart span=1hour count by blocked ]
appendcols [search index=Foo earliest=-3w@w1 latest=-2w@w1
| timechart span=1hour count by RuleAction
| appendcols [search index=FOO_1
| timechart span=1hour count by blocked ]
appendcols [search index=FOO earliest=-4w@w1 latest=-3w@w1
| timechart span=1hour count by RuleAction
| appendcols [search index=ngss*_sourcefire_seceventFOO_1
| timechart span=1hour count by blocked ]
如果您想要过去4个月的timechart,为什么不使用它?
index=foo earliest=-1mon@mon latest=-0mon@mon Technology="Sourcefire"
| append [ search index=SI earliest=-4mon@mon latest=-1mon@mon Technology="Sourcefire" ]
| timechart span=1d count
第二个查询的问题很常见。appendcols命令依赖于顺序。这意味着来自子搜索的事件将与来自主搜索的事件一一匹配。如果返回事件的顺序因子搜索而异,则结果将是不可预测的。请改用append,并让timechart命令对其进行排序。