compare

Use the compare command to compare properties generated by the link command over the comparison intervals specified.

Syntax

compare [fields=<field> [,<field>]*] [timeshift = <offset> [size = <size>][count=<int>] | timerange <datetime> to <datetime> [as <new_field_name>], ...]

Parameters

The following table lists the parameters used in this command, along with their descriptions.

Parameter Description

offset

<direction><int><timescale> OR auto

Sets comparison time range as an offset of the current time range.

  • auto: Timeshift is same as the window size of the current time range in the negative direction.
  • direction syntax: + | -
  • timescale syntax: <sec> | <min> | <hour> | <day> | <week> | <mon>
  • sec syntax: s | sec | secs | second | seconds
  • min syntax: m | min | mins | minute | minutes
  • hour syntax: h | hr | hrs | hour | hours
  • week syntax: w | week | weeks
  • month syntax: mon | month | months
size <int><timescale>

Sets the size of the length of time of the comparison time range.

  • timescale syntax: <sec> | <min> | <hour> | <day> | <week> | <mon>
  • sec syntax: s | sec | secs | second | seconds
  • min syntax: m | min | mins | minute | minutes
  • hour syntax: h | hr | hrs | hour | hours
  • week syntax: w | week | weeks
  • month syntax: mon | month | months
count <int>

Specifies the number of time ranges for comparison. If not specified, the default value is 1.

datetime

Explicitly sets start and end of a comparison time range.

For example of using this command in typical scenarios, see:

The following command compares average content size of an entity from 7 days ago and from 14 days ago:

* | link Entity 
| stats avg('Content Size') as 'Average Content Size' 
| compare fields = 'Average Content Size' timeshift = -7d count = 2

The following command compares average content size of an entity from another period of time:

* | link Entity 
| stats avg('Content Size') as 'Average Content Size' 
| compare fields = 'Average Content Size' 
        timerange = '2018-06-07T00:00:00Z' to '2018-06-14T00:00:00Z' as T1

The following command compares 2 time ranges that have the same window size as the current time range, in the negative direction. For example, if the current time range is Last 60 minutes, then the timeshift ranges are last 60 to 120 minutes, and last 120 to 180 minutes:

* | link span = 5minute 'Log Source'
 | compare timeshift = auto count = 2