compare
Use the compare command to compare properties generated by
the link command over the comparison intervals specified.
Syntax
compare [fields=<field> [,<field>]*] [timeshift = <offset> [size = <size>][count=<int>] | timerange <datetime> to <datetime> [as <new_field_name>], ...]Parameters
The following table lists the parameters used in this command, along with their descriptions.
| Parameter | Description |
|---|---|
|
|
<direction><int><timescale>
OR autoSets comparison time range as an offset of the current time range.
|
size |
<int><timescale>Sets the size of the length of time of the comparison time range.
|
count |
<int>Specifies the number of time ranges for comparison. If not specified, the default value is 1. |
|
|
Explicitly sets start and end of a comparison time range. |
For example of using this command in typical scenarios, see:
The following command compares average content size of an entity from 7 days ago and from 14 days ago:
* | link Entity
| stats avg('Content Size') as 'Average Content Size'
| compare fields = 'Average Content Size' timeshift = -7d count = 2The following command compares average content size of an entity from another period of time:
* | link Entity
| stats avg('Content Size') as 'Average Content Size'
| compare fields = 'Average Content Size'
timerange = '2018-06-07T00:00:00Z' to '2018-06-14T00:00:00Z' as T1The following command compares 2 time ranges that have the same window size as the
current time range, in the negative direction. For example, if the current time
range is Last 60 minutes, then the timeshift ranges are
last 60 to 120 minutes, and last 120 to 180 minutes:
* | link span = 5minute 'Log Source'
| compare timeshift = auto count = 2