I'm trying to get hourly averages and compare the last to the previous one.
...some search | timechart span=60m avg(SampleValue)
However, this tends to count hourly events starting 00 minutes of every hour up to 59 mins. So if it is 5:01pm now and I have not received any event for SampleValue yet, It will show zero (or null) for this hour. Whereas I want it to start -60 minutes from now so if it 5:23pm now it should calculate an average on 4:24pm to 5:23pm and so on for last 24 hours. currently it seems to calculate 4:00pm to 5:00pm and 5:00pm to 5:23pm (or 6:00pm theoratically). In short it snaps to an hour whereas I want it to snap to a minute at the most...
I was working with timecharts and this worked for me:
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average
because we have a limitation with timechart that it only works with _time.
I was working with timecharts and this worked for me:
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average
because we have a limitation with timechart that it only works with _time.
I don't know of a built-in way of doing what you ask using commands like bucket
or bin
. However, I think I figured out a way to get the value you would want per bucket. Depending on dense your samples are, you could use makecontinuous
and filldown
to create a timechart with the data
... your search ...
| eventstats min(_time) as start
| eval bin = floor((_time - start)/3600)
| eventstats avg(SampleValue) as average by bin
| fields SampleValue average
what do you have your time range set to? I believe span works from the earliest time. I'm pretty sure 'Last 24 hours' snaps to the beginning of the hour. Try adding earliest=-24h
to your search.