Max - takes the maximum of your historical comparisons.įor example, if you wanted to compare the behavior of backfill errors on continuous queries over the last seven days, use the following query:.Min - takes the minimum of your historical comparisons.Average - takes the average of your historical comparisons.Individual - displays each time comparison separately, for example, on a different line.Compare this query to a historical timeshift.We do not support going back further in time. You can retrieve time-shifted data up to the last 40 days. To create a custom Time Compare, select Custom from the menu, then make your selections in the Custom Time Compare query builder dialog. You can also customize the prefix for a query by specifying an alias. From here, you can select a chart type to display results visually.įor example, if you were doing a comparison with yesterday, when you use the compare operator after the count operator, the aggregation table results will display the column names _count and _count_1d. Additional columns are suffixed by the timeshift (the period shifted back in time) of the queries. The first column is the field being grouped by which contains results from the present time (or the time range specified in the time range field). Each column of the output table contains results from one of the specified queries. Compare with an aggregate over multiple time periods in the past.īy default, results are displayed in the Aggregates tab on the search page in a table.Compare with multiple time periods in the past.Compare with a single time period in the past.Use the compare operator in the following ways: Identify malicious activity or attacks by comparing failed login attempts against past averages.Compare the daily active or weekly active users on your website for strategic business insights.Track the root cause of a production issue quickly by tracking specific keywords, such as memory exceptions, and comparing them with historic data to find any anomalous trends.Evaluate the performance metrics of a website, such as the latency or the number of exceptions, before and after a deployment.Compare can only be used in aggregate searches that use operators like avg, count, pct, or sum. The compare operator allows you to compare current search results with data from a past time period for aggregate searches. The Time Compare button uses the compare operator automatically in a query with a click. The Time Compare button becomes available in the Aggregates tab when you run an aggregate search, and allows you to run a compare operation automatically from your search results.