I am trying to create a Timechart that will list out the TotalHours of that day and then subtract the previous days TotalHours to see the Hours difference in each day. This needs to span 14 days
Basically I just need the Total Hours difference from One day to the next spanned across a timechart
This is the data and Query I have so far (not much)
-------Search-----
| where TotalHours != "0" AND _time>relative_time(now(), "-14d@d")
| dedup PROJECT_NUMBER _time
| table PROJECT_NUMBER TotalHours _time
| sort by PROJECT_NUMBER
Below is the query that I have now
Search
|table PROJECT_NUMBER _time TotalHours
| sort 0 PROJECT_NUMBER _time
| streamstats values(TotalHours) as previousTotalHours current=f window=1 by PROJECT_NUMBER
| eval diff=previousTotalHours-TotalHours
Im trying to see if I can get just the diff streamed out over a time period
This is what I'm getting now.
I think its just populating from all the Projects.
Is there a way to get all the project (sum) TotalHours and then subtract that from the previous days total of TotalHours and then set x axis as _time and Y axis as diff streamed across 2 weeks?
Again thanks for your help
