When you perform a search, search results are displayed for the search criteria specified and for the time range selected. These results are displayed in the form of a timeline chart followed by a series of actual results retrieved from the data file indexed.
You can compare the results of the same query (summarized on the timeline chart) against two different time ranges. This allows you to easily view any differences between the two time ranges with respect to the log data. You can also compare the results of one search query against another search query for the same time duration.
Use the following information to understand how to compare results:
Use cases for comparing results
The following use cases can help you understand the advantages of using the various compare options to visualize differences in your data.
Comparing results for the same search query, but different time duration
Suppose you are monitoring the health of an application. After restarting the application, you faced some errors. You know that yesterday when you restarted the application it was working properly. Suppose you suspect an error with one of the components of the application. You want to compare the logs of that component with the logs of the same component but on the previous day. In this case, you can use the Previous day (same duration) compare option to visualize the differences in the logs for the same search query, but for the previous day.
Comparing results for the same time duration, but different search query
Suppose you are troubleshooting an issue about why an application went down abruptly. You know that the problem is with one of the components of the application. The same component is deployed on two hosts, Host A and Host B. The component on Host A is working properly. You want to compare the logs of the component on Host A with the logs of the component on Host B for the same time duration. In this case, you can use the Same time compare option to visualize the differences between the logs for the same time but different search queries.
To compare results
- Navigate to the Search tab and perform a search.
- On the top-left of the page, click the vertical three dots (indicating a menu) next to All Data and select Compare Data.
- Perform one or all of the following steps:
Compare results based on time: Click the three dots menu next to the time range that appears, and select one of the compare options. For more information, see Compare options.
You can also use the following additional functions for specifying the time duration.
Specify a custom time duration by manually editing the time range. Note that editing the time duration does not change the time context used for the comparison. For example, if the original time context used for the comparison was last 60 minutes, then the new time context used for the comparison continues to be last 60 minutes.
- Shift the selected time duration to a time before or after the selected time duration by clicking Shift time context to previous or Shift time context to next .
Compare results based on search query: Replace the search query in the box under the time range.
If the original query contains a long string separated by pipes (|), then the comparison run (against the next query) is only based on the portion of the original query before the first pipe.
- Click Compare to run the comparison.
Functions available after comparing results
On comparing, by default, the original timeline chart and the compared chart are merged together. The bars in the chart are displayed in different colors to signify the original chart and the compared chart. You can choose to separate the charts by selecting Separate Charts from the Merged Chart three dots menu, that is located at the top-left of the chart. Alternatively, you can merge the charts by selecting the Merge Charts option from the Separated Charts three dots menu.
In the legend, the original timeline chart is displayed with the notation Current Search, while the compared chart is displayed with the compare option selected. You can click the legend keys to hide (or show) the original chart or the compared chart.
To return to the compare options, click Expand to change options at the bottom-right of the chart and change the search query or select another compare option. After selecting the compare option, or changing the search query, or both, you need to click Change to run the comparison.
To return to the normal view and see the series of actual search results, click the three dots menu next to Compare Data at the top-left of the page, and select All Data.
The following table provides a list of compare options that you can use for comparing search results across different time contexts:
|Compare option with description||Example|
Displays a timeline chart for the same time duration but for a different search query.
You need to provide a new search query to be able to see the results.
|Previous time (same duration)|
Displays a timeline chart for the time context before the original time context.
|Original: Feb 26, 11:51am - Feb 26, 12:51pm|
|Compared: Feb 26, 10:51am - Feb 26, 11:51am|
|Previous day (same duration)|
Displays a timeline chart for the time context that is one day prior to the original time context.
|Original: Feb 26,11:51am - Feb 26, 12:51pm|
|Compared: Feb 25,11:51am - Feb 25, 12:51pm|
|Previous week (same duration)|
Displays a timeline chart for the time context that is one week prior to the original time context.
Note: By default, the value of the Maximum Data Retention (in days) field in the System Settings page is set to 7. If you do not increase the value, then this compare option returns the message "No search results found".
|Original: Feb 26, 11:51am - Feb 26, 12:51pm|
|Compared: Feb 19, 11:51am - Feb 19, 12:51pm|