So I have a search that runs over a 4h time span that Only gives results when the number of event of one kind are as manhy as or more than the number of hours. I want to be able to run over any timespan:
search terms earliest=-4h latest=now() | ... | stats count by _raw,TimeInHour,punct|
addinfo| eval hours = round((info_max_time - info_min_time)/3600,0) | search count > 3
the search should look for results that have a count equal to the number of hours I searched over but if I write
search terms earliest=-4h latest=now() | ... | stats count by _raw,TimeInHour,punct |addinfo
| eval hours = round((info_max_time - info_min_time)/3600,0) | search count > hours-1
I get no results. Are count and hours not something I can compare, how do I change that?