Dal,
I completed the search with the extra additions you recommended but the search is taking the same lenght of time as the old one. The events are over 7.5 million but no stats or visuals as yet.
The full formula is the following, thanks
(earliest=-30d@d latest=@d index="main" source="splunk" agent_id="*") OR (earliest=@d latest=@h index="main" source="splunk" agent_id="*")
| bucket _time span=1d
| stats count as daycount by _time
| rename COMMENT as "The above gets you one record per day for history, one for today. Only records with source=agent_id will have the highest (@d) timestamp."
| rename COMMENT as "This moves the count for today into a new field, then calculates our averages."
| eventstats max(_time) as startofday
| eval todaycount = if(_time=startofday,daycount,null())
| eval daycount = if(_time 2
thanks
Colin
... View more