How-To: Compare the Last 31-60 days to the Previous 30 Days

To compare the last 31-60 days to the 30 previous 30 days, you can use the case{} statement method or the bucket() function method.

Compare Using `case{}` Statements

To arrange and compare data using case{} statements and the @timestamp field, the process looks like this:

// Run this query over the last 60 days.
#event_simpleName = ProcessRollup2
| case {
    test(@timestamp < (start()+(30*24*60*60*1000))) | eventSize(as=eventSize31to60);
    * | eventSize(as=eventSize0to30);
}
| stats([avg(as=avg31to60, field=eventSize31to60), avg(as=avg0to30, field=eventSize0to30)])

Note that you will still need to complete a 60-day query, since the query will encompass all results.

The first line creates a basic filter that looks for ProcessRollup2 events.
The second line is a case{} statement that queries, "if the @timestamp is older than 30 days ago, save the event size in the eventSize31to60 variable.
The third line (and second part) of the case statement says "everything else gets the event size saved as the eventSize0to30 variable."
The final line obtains the average of the two previous statements and displays them as output.

The end results looks like this:

Figure 7. Case Statement Results

For more information on LogScale Query Language and conditional expressions, see Conditional Expressions.

`bucket` method

To compare using the bucket() function method, there are two prerequisites:

The bucket size should be divided by the number of values you'd like to compare. For example, if you're looking at three 30-day windows over 90 days, each bucket should be 30 days.
You might need to lower the search timeframe if you end up with an extra bucket, e.g. change it to 89 days if you specify a 30-day bucket but end up with 4 buckets.

The query looks like this:

logscale

thisSize := eventSize()
| bucket(span=30d, function=avg(thisSize))

The results of the query look like this:

Knowledge Base