最近 4 个月/周数据

Question

我们如何获得过去 4 个月的时间表我已经尝试了以下查询，但它给了我固定的过去 4 个月的数据，例如仅适用于 MAR、APR、MAY、JUN .. 我怎样才能获得 AUG SEP OCT 和 NOV 的数据。 .

PFB 尝试查询..

index=foo earliest=-1mon@mon latest=-0mon@mon Technology="Sourcefire" 
| timechart span=1day count AS JUN-2020 
| appendcols [search index=SI earliest=-2mon@mon latest=-1mon@mon Technology="Sourcefire" 
  | timechart span=1day count AS MAY-2020] 
| appendcols [search index=SI earliest=-3mon@mon latest=-2mon@mon Technology="Sourcefire" 
  | timechart span=1day count AS APR-2020] 
| appendcols [search index=SI earliest=-4mon@mon latest=-3mon@mon Technology="Sourcefire" 
  | timechart span=1day count AS MAR-2020] 
| table _time JUN-2020 MAY-2020 APR-2020 MAR-2020

请您帮忙获取最近 4 周的数据.. 我试过下面哪个不起作用..

index=Foo earliest=-1w@w1 latest=-0w@w1 
| timechart span=1hour count by  RuleAction  
| appendcols [search index=FOO_1 | timechart span=1hour count by blocked ]
  appendcols [search index=Foo earliest=-2w@w1 latest=-1w@w1 
| timechart span=1hour count by  RuleAction 
| appendcols [search index=FOO_1  
| timechart span=1hour count by blocked ]
 appendcols [search index=Foo earliest=-3w@w1 latest=-2w@w1 
  | timechart span=1hour count by  RuleAction 
  | appendcols [search index=FOO_1  
  | timechart span=1hour count by blocked ]
 appendcols [search index=FOO earliest=-4w@w1 latest=-3w@w1 
| timechart span=1hour count by  RuleAction 
| appendcols [search index=ngss*_sourcefire_seceventFOO_1 
  | timechart span=1hour count by blocked ]

Answer 1

如果您想要过去 4 个月的 timechart，那么为什么不使用它呢？

index=foo earliest=-1mon@mon latest=-0mon@mon Technology="Sourcefire"
| append [ search index=SI earliest=-4mon@mon latest=-1mon@mon Technology="Sourcefire" ]
| timechart span=1d count

第二个查询的问题很常见。 appendcols 命令取决于顺序。这意味着来自子搜索的事件与来自主搜索的事件一对一地匹配。如果返回事件的顺序在子搜索中有所不同，那么结果将是不可预测的。改用append，让timechart 命令解决。