I currently have a timechart running every minute each day to show a given field value as it increases through the day. The data is being displayed as an area chart. If possible, I'd like the add an overlay to the chart that will show the "average" value each minute over a larger time period (yesterday, or last week for instance). I already have the "historical" timechart data being saved to a summary index, I'm just wondering what the best way would be to incorporate it.
Right now, the search is relatively simple:
"my search text" earliest=@d+6h latest=@d+18h source="mylog.log" | timechart span=1m count
And I am running this same search, without the earliest and latest filters and writing the results to summary index. So it is just a matter of taking today's count by minute and comparing to the summary index count by minute so get a baseline of today vs prior days to make it easier to see if it is "normal" or not.
I'd probably approach this like so...
Once a day, between 12p and 6a, run an extract from the summary index to a csv, with each projected minute of the new day calculated. I would probably do three numbers - bottom edge, average, top edge - and decide the edges based on 2-3 standard deviations. For simplicity of the actual presentation, I would put each number on its own individual event record with three fields, _time, series and eventcount. Since there are only 720 minutes in your 12 hour period, this would only be 2160 records, so it's fairly small.
Then your presentation is this...
"my search text" earliest=@d+6h latest=@d+18h source="mylog.log" | bin _time span=1m | stats count as eventcount by _time | eval series="today" | append [|inputcsv mydailycsv.csv | table _time series eventcount] | timechart span=1m sum(eventcount) as count by series
Thank you for your advice! Let me give this a shot and see how close it gets me to what I am looking for.