Many thanks for the response! This works great AND it doesn't have a subsearch! 🙂
Follow up question: The next thing I'm trying to do is compare the current day to the appropriate average (i.e. a weekday to the average of all weekdays in the search). I've been playing around, and my query is becoming quite the monstrosity.
Do you have any thoughts on how to make this work (this is over the last 7 days) ? Let me know if it would be better to open a new question.
| timechart span=15m avg(num_x) as avg_data | eval day_of_week=lower(strftime(_time, "%A")) | eval Weekend=if(day_of_week="saturday" OR day_of_week="sunday", avg_data,0) | eval Weekday=if(day_of_week!="saturday" AND day_of_week!="sunday",avg_data,0) | table _time Weekday Weekend | timewrap d series=short | rename Weekday_s0 AS current_weekday | rename Weekend_s0 AS current_weekend | addtotals Weekday_* AS sum_weekdays | addtotals Weekend_* AS sum_weekends | eval day=lower(strftime(_time, "%A")) | eval curr_day=if(day="saturday" OR day="sunday", current_weekend, current_weekday) | eventstats max(curr_day) as max_today | eval average=if(day_of_week="saturday" OR day_of_week="sunday", sum_weekends, sum_weekdays/5) | eval anom_upper=if(curr_day>10*average, max_today/2, 0) | eval anom_lower=if(curr_day<average/50, -(max_today/2), 0) | table _time, _span, curr_day, average, anom_upper, anom_lower
Right now only curr_day, anom_upper, and anom_lower are being graphed. average is nowhere in sight.
Note:
-I'm currently hardcoding the "divide by" value in calculating the average (I don't divide the weekend sum as there is only 1 weekend day to compare to right now, and I am dividing the weekday sum by 5).
-I'm assuming that addtotals will ignore any null values it might encounter.
Any thoughts would be so appreciated! Thanks!
... View more