@bowesmana and @PrewinThomas give you two different approaches. I will put a different spin on Prewin27's append method. (BTW, there should be no need to sort by _time after timechart.) To avoid se...
See more...
@bowesmana and @PrewinThomas give you two different approaches. I will put a different spin on Prewin27's append method. (BTW, there should be no need to sort by _time after timechart.) To avoid searching the same data multiple times, I use map. In the following example, I simplify interval split by restricting total search window to -1d@d - -0d@d. | tstats count where index=_internal earliest=-1d@d latest=-0d@d
| addinfo ``` just to extract boundaries ```
| eval point1 = relative_time(info_min_time, "+7h"), point2 = relative_time(info_min_time, "+17h")
| eval interval = mvappend(json_object("earliest", info_min_time, "latest", point1),
json_object("earliest", point1, "latest", point2),
json_object("earliest", point2, "latest", info_max_time))
| mvexpand interval
| spath input=interval
| eval span = if(earliest == point1, "10m", "1h")
``` the above uses prior knowledge about point1 and point2 ```
| map search="search index=_internal earliest=$earliest$ latest=$latest$
| timechart span=$span$ count" Obviously if your search window is not one 24-hour period, interval split becomes more complex. But the same logic can apply to any window.