Hi
I would like to dis play a trend indicator between these 2 different relative time
Is it possible?
index=toto sourcetype=tutu earliest=-8d@d+7h latest=-8d@d+19h OR earliest=@d+7h latest=@d+19h
| timechart count as "erreurs" span=1d
Thanks
They are the same time ranges..
The timewrap command may be what you are after, e.g.
| timechart count as "erreurs" span=1d
| timewrap 1d
If I do this I have a result for the current day and a value on the last 7 days so the trend works
index=toto
| search cit > 10000
| timechart count span=7d
but what I need is to use the relative time for the current day and the relative time not on the last 7 days but for the day corresponding at day - 7
is it possible to do this?
earliest=-8d@d+7h latest=-8d@d+19h OR earliest=@d+7h latest=@d+19h
Doesn't the timewrap give you what you need?
index=_audit (earliest=-8d@d+7h latest=-8d@d+19h) OR (earliest=-d@d+7h latest=-d@d+19h)
| timechart fixedrange=f span=1h count
| timewrap 1d
| fields _time 7days_before latest_day
| addtotals
| where Total>0
| fields - Total
sorry it's not my need
with a table panel, I can see the result of the latest day and the result for 7 days before
But what I ned is ti display a single panel trend indicator and it doenst works with your example
Do you mean either of these?
Your existing search will do the second one - just format the visualisation and show the trend as 7 days before
or add the final line to the query
| where count>0
and leave the trend as default and you get the first view?
If this is not what you want, can you expand on exactly what you want to see