For any given time range, search and split the events in to two halves of "day" or "hours" i.e if "All Time" is selected as time range using Time Picker, I should be able to split above events into two halves by day(firsthalf=sep15-sep14 and secondhalf=sep 13-sep12) or by hour(firsthalf=48hour secondhalf=48hour).
Then after splitting events into two halves, I must sum dataconsumed by app in both halves(events split by time) i.e
time app total_dataconsumed
firsthalf yahoo 50
secondhalf yahoo 10
Find difference between total_dataconsumed by app using firsthalf and secondhalf i.e firsthalf - secindhalf
I am still stuck on step 1, I don't seem to understand how should one split the search events into halves/spans and apply stats on both halves?
Your Base Search Here
| eval time=if((_time <= (now()-(if(isnum(info_max_time), info_max_time, now()) - info_min_time)/2)), "firsthalf", "secondhalf")
| stats sum(dataconsumed) AS total_dataconsumed BY app time