good day!
when solving the problem of obtaining statistics, they encountered a problem. It is necessary to calculate the average number of events for a specific query. When using the bucket, the information is collected from the beginning of the hour. It is necessary to receive information from the current moment. If it's now 10.15, then you need to collect data from 08.15 to 09.15, then from 09.15 to 10.15 and so on.
query
| bucket _time span=1h
| stats count as tCount by _time
| eventstats avg(tCount) as aCount
You can use streamstats for that:
query
| streamstats time_window=1h count
time_window
Syntax: time_window=<span-length>
Description: Specifies the window size for the streamstats calculations, based on time. The time_window argument is limited by range of values in the _time field in the events. To use the time_window argument, the events must be sorted in either ascending or descending time order. You can use the window argument with the time_window argument to specify the maximum number of events in a window. For the <span-length>, to specify five minutes, use time_window=5m. To specify 2 days, use time_window=2d.
Default: None. However, the value of the max_stream_window attribute in the limits.conf file applies. The default value is 10000 events.
Note: this may not be a very efficient search, depending on how much data you have. You should probably consider using stats
on a smaller time period bucket (perhaps 1min) before piping the results into streamstats
, so that you don't run into performance or limits issues. streamstats
also retains the raw event and existing extracted fields, so including stats
before it would limit that to only fields you actually care about.
query
| bin span=1min _time
| stats count BY _time
| streamstats time_window=1h sum(count) AS count
I think relative_time
will solve your problem
... | eval n=relative_time(now(), "-1d@d")