I know this can be done with an append, but I am pretty sure this is possible just via evals. Please help me out if possible.
Index=source earliest=-48h@h
| bin _time span=15m
| search CustomName=Place123
| eventstats avg(RawStatus_Avg) AS perHour by _time
| timechart span=60m avg(perHour) as Total by CustomName
| eval threshold=relative_time(now(),"-30m")
| stats avg(eval(_time<threshold)) as Old avg(eval(_time>threshold)) as Current by Total
| eval OldAvgCnt=Old/95
| eval ratio=Current/OldAvgCnt
| table ratio
I am trying to see the last 30 minutes vs. the last 48 hours both with lines on a chart.
Thanks,
Solved it.
index=words earliest=-48h@h
| search CustomrName=place123
| eval StartTime=relative_time(now(),"-15m@m")
| eval Series= if(_time>=StartTime,"Last_15_Minutes","Two_Day_Avg")
| eval Hour = strftime(_time,"%H")
| timechart avg(RawStatus_Avg) by Series
Solved it.
index=words earliest=-48h@h
| search CustomrName=place123
| eval StartTime=relative_time(now(),"-15m@m")
| eval Series= if(_time>=StartTime,"Last_15_Minutes","Two_Day_Avg")
| eval Hour = strftime(_time,"%H")
| timechart avg(RawStatus_Avg) by Series
Hey Joshua,
I've gone a little back and forth on this one in terms of how to approach it. From what I can gather, your requirements are as follows:
The solution I've come up with relies primarily on the timewrap
and the foreach
commands. If I'm understanding the problem correctly, this should satisfy all three of the requirements:
index=source earliest=-48h@h
| bin _time span=5m
| search CustomName="Place123"
| chart avg(RawStatus_Avg) AS perHour OVER _time by CustomName
| timewrap 30minutes
| fillnull value=0
| eval counter=0, priorAvg=0
| foreach *before
[ eval priorAvg=if(isnotnull(<<FIELD>>), <<FIELD>>+priorAvg, priorAvg), counter=counter+1]
| eval priorAvg=priorAvg/counter
| rename *_latest_30minutes AS *_Current
| table _time *_Current priorAvg
The priorAvg
field displays your average over the last 48 hours, while the *_Current
field shows current values in the last 30 minutes. I've used 5 minute buckets instead of 15 to give you a few more chart plot points, but that can be changed if you require.
I'm also unclear on how the ratio field plays into the question, but you can re-add it onto the chart if you'd like by adding this:
...BASE SEARCH...
| foreach *_Current
[ eval <<MATCHSTR>>_Ratio = <<FIELD>> / priorAvg]
| table *_Ratio
If I'm misunderstanding the question, or if anything isn't working as expected, please let me know. I am also here to assist if anything doesn't make sense.
Best of luck!