Grazie @gcusello per la risposta.

Unfortunately the solution doesn't work for my case. As I explained, in the subsearch I would like to calculate the average for a value, but only for the specified hours of the main search in the last 7 days.

For example: If my main search looks at the data from 06:00 to 10:00 for today I want to calculate the average for the last 7 days also only for the hours 06:00 to 10:00 from each day.

Hi @simon_b,

you have to add an eval command to identify the values to consider, something like this:

<your_search>
| eval interesting_value=if(date_hour>5 AND date_hour<11,"value,"")
| timechart avg(intersting_value) AS average

in few words, you have to create a field that consider only the values in the hours you need (6.00-10.00) and then calculate avg on this field.

Ciao.

Giuseppe

Ciao @gcusello,

yes I know how to do that. The problem is that I need the timerange of the main search to filter for that hours in the subsearch.

It does not work this way.

Subsearches (in the most typical form) are not "called" from the main search. The subsearch is run first then its results are passed into the main search rendered accorting to the explicit or implicit return command.

So the subsearch runs with the timepicker-set search boundaries or the earliest/latest explicitly stated parameters. There is no way of "passing variables" from the main search to a subsearch.

Hi @simon_b,

don't think in terms of subsearch, create your search using parenthesis in the main search and the eval to take only the values you need.

If you could share your search in terms of rules and desidered output not considering syntax?

Ciao.

Giuseppe

Hi @gcusello , the search at the moment looks something like this:

index=index1
| regex id != "2|3|4" 
| join id
    [ search index=index2 latest=-0d earliest=-7d
    | regex id != "2|3|4" 

    ***some eval commands***

    | where (date_hour>hour_min) AND (date_hour<hour_max) 
    | stats mean(value1) AS "mean_value1" by id]
| table _time id mean_value1

The parameters I need in the subsearch are "hour_min" and "hour_max" which represent the earliest and latest hour of the main searches time picker.

Hi @simon_b,

you could reverse the join, something like this:

index=index2 latest=-0d earliest=-7d
    | regex id != "2|3|4" 

    ***some eval commands***
| join id
    [ search index=index1 | regex id != "2|3|4" | addinfo]
    | where (date_hour>hour_min) AND (date_hour<hour_max) 
    | stats mean(value1) AS "mean_value1" by id
| table _time id mean_value1

Ciao.

Giuseppe

Don't use join if you absolutely don't have to.

It seems that you're not "thinking in SPL" yet 😉

You usually can get around the joining thing with cleverly constructed stats.