I would like to build a chart to compare errors from a specific time range to another. In this example a baseline day from the past and a day there was an event. The user can choose two time ranges and I want to show them a comparison as an overlay. I'm struggling with how to set the time modifier variable. I saw that you can do something like this - |eval basetime=8 |eval evtime=1 | eval diff=basetime-evtime to get a difference, but I am not sure how to get the values to do the diff on. I believe I need to get the number of days difference between the earliest of the baseline timerange (assuming it is in the past) and the earliest of the 'Event' time range. Then I would plug this value in the formula for the time modification (creates the overlay)|eval _time=_time+60*60*24*diff
index=myindex earliest=$time2.earliest$ latest=$time2.latest$ sourcetype=mysourcetype | bucket _time span=1hr | stats count by _time | eval ReportKey="Event"
|append [search index=myindex earliest=$time1.earliest$ latest=$time1.latest$ sourcetype=mysourcetype | bucket _time span=1hr | stats count by _time |eval ReportKey="Baseline"
|eval _time=_time+60*60*24*diff] | timechart values(count) by ReportKey
Does anyone have any idea how this could be done?
Thanks!
