Assuming you have separate searches running from one time picker on your dashboard. If your search for today looked like
<your base search> | <other functions> | timechart <statsfunction>
You could have a separate panel search for the same time window yesterday using some subsearch trickery to adjust the earliest and latest timeframe of this search back to yesterday like so:
<your base search> [ noop | stats count
| addinfo
| eval earliest=relative_time(info_min_time,"-d")
| eval latest=relative_time(info_max_time,"-d")
| fields earliest latest
| format "" "" "" "" "" "" ]
| <other functions> | timechart <statsfunction>
How does this subsearch work you might ask? Well noop | stats count in a subsearch is a trick to generate a single event, with a single field of count=0, by running the undocumented "do nothing" noop command, and then counting that nothing with stats. We use addinfo to add fields to our single event about the selected time window for the search, and then use eval to calculate the earliest and latest time based on the selected time window using the relative_time function. We only care about the earliest and latest fields from this subsearch, so we throw the rest away using fields. Finally, as earliest and latest should be written into the search as earliest=### latest=### , with no surrounding parenthesis, no AND s nor any OR s, we use the format command to do just that.
The rest of the search is the same as written.
Now it might be possible to get this running with multisearch command to run your search twice at the same time, and chart them onto the same graph, but I'm getting some unexpected results with a quick smoke test.
You may also be interested in the timewrap app & command as it would make stuff like this easier 🙂
... View more
