The original search is selected with the drop down box at the top of the screen.
I created a subsearch with earliest duration of 24 hours.
I then used the now() - earliest2 to get when the error first occurred within 24 hours.
However, if I use any time less than 24 hours, I receive incomplete results. Some of my table is blank. Any tips on how to clean my code up and fix my search would be great! Thanks
index="example"
| eval ErrorMessage=substr(Message,1,150)
| rex field=ErrorMessage mode=sed "s/User.:.)/User: yyyy/g"
| rex field=ErrorMessage mode=sed "s/[0-]{4,20}/XXXX/g"
| eval eventTime=substr(CreatedAt, 1,16)
| fields *
| search EventType=Errors
| eval ErrorMessage=Server+": "+Application+": " +ErrorMessage
| stats earliest(_time) as Earliest, latest(_time) as Latest, count as "Error Count" by ErrorMessage
| eval difference = round(((now() - Latest)/60), 2)
| eval Log = "Last error occured " +difference+ " minutes ago"
| append
[search index="prod" earliest=-24h
| eval ErrorMessage=substr(Message,1,150)
| rex field=ErrorMessage mode=sed "s/User.*:.*\)/User: yyyy/g"
| rex field=ErrorMessage mode=sed "s/[0-]{4,20}/XXXX/g"
| eval eventTime=substr(CreatedAt, 1,16)
| fields *
| search EventType=Errors
| eval ErrorMessage=Server+": "+Application+": " +ErrorMessage
| stats earliest(_time) as Earliest2, latest(_time) as Latest, count as "Error Count" by ErrorMessage]
| stats first(Earliest) as Earliest, first(Latest) as Latest, first(Earliest2) as "Earliest2", first(Log) as Log, first("Error Count") as "Error Count" by ErrorMessage
| eval Hidden = (now()-Earliest2)/3600
| sort - "Error Count"
| convert ctime(Earliest), ctime(Latest)
| rename Earliest as "Earliest Error", "Latest" as "Latest Error"
| fields ErrorMessage, "Error Count", "Earliest Error", "Latest Error", Log, Hidden #This variable will be hidden for some color palette expressions
| head 10
... View more