thanks @gcusello . Could you help me with below asks?
when we run the base query without timewrap, the todays count is only 6 and yesterday count us 19.
But, when we run the base query with timewrap the todays total is 25 and yesterday total is 13.
Splunk Query:
basesearch earliest=-7d@d latest=now()
| timechart span=1h count
| timewrap d series=short
| addtotals s*
| eval 7dayavg=Total/7.0
| table _time, s0, s1, Total, 7dayavg
| rename s0 as Today, s1 as yesterday
Results:
_time Today yesterday Total 7dayavg
| 2024-01-31 08:00 | 0 | 0 | 0 | 0.0 |
| 2024-01-31 09:00 | 0 | 0 | 0 | 0.0 |
| 2024-01-31 10:00 | 2 | 0 | 4 | 0.57 |
