I know this can be done with an append, but I am pretty sure this is possible just via evals. Please help me out if possible.
| bin _time span=15m
| search CustomName=Place123
| eventstats avg(RawStatus_Avg) AS perHour by _time
| timechart span=60m avg(perHour) as Total by CustomName
| eval threshold=relative_time(now(),"-30m")
| stats avg(eval(_time<threshold)) as Old avg(eval(_time>threshold)) as Current by Total
| eval OldAvgCnt=Old/95
| eval ratio=Current/OldAvgCnt
| table ratio
I am trying to see the last 30 minutes vs. the last 48 hours both with lines on a chart.
I've gone a little back and forth on this one in terms of how to approach it. From what I can gather, your requirements are as follows:
You want to see the latest 30 minutes on a line chart
You want to see the average for the last 48 hours on the same line chart
You want to be able to change the "CustomName" field to define which CustomName field value you're looking for
The solution I've come up with relies primarily on the timewrap and the foreach commands. If I'm understanding the problem correctly, this should satisfy all three of the requirements:
| bin _time span=5m
| search CustomName="Place123"
| chart avg(RawStatus_Avg) AS perHour OVER _time by CustomName
| timewrap 30minutes
| fillnull value=0
| eval counter=0, priorAvg=0
| foreach *before
[ eval priorAvg=if(isnotnull(<<FIELD>>), <<FIELD>>+priorAvg, priorAvg), counter=counter+1]
| eval priorAvg=priorAvg/counter
| rename *_latest_30minutes AS *_Current
| table _time *_Current priorAvg
The priorAvg field displays your average over the last 48 hours, while the *_Current field shows current values in the last 30 minutes. I've used 5 minute buckets instead of 15 to give you a few more chart plot points, but that can be changed if you require.
I'm also unclear on how the ratio field plays into the question, but you can re-add it onto the chart if you'd like by adding this: