I am looking to combine 3 different time periods into 1 chart. The 3 time periods will include last hour, previous hour and the week before the last hour. I want the chart to total for each time period.
I have been trying numerous search variations and various functions with no luck.
Thinking it should be something close to this, but I'm not really sure because I can't get data. I either receive the incorrect search function or data with the searches I am doing.
index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-1h latest=@h | chart count by log_subtype | [search index="logs" (sourcetype="traffic") (rule="data") log_subtype=end earliest=@h-2h latest=@h-1h] | chart count by log_subtype
... View more