To follow up on my comment above...this is definitely not very pretty, but it seems to be working:
| timechart span=15m avg(num_x) as avg_data | eval day_of_week=lower(strftime(_time, "%A")) | eval Weekend=if(day_of_week="saturday" OR day_of_week="sunday", avg_data,0) | eval Weekday=if(day_of_week!="saturday" AND day_of_week!="sunday",avg_data,0) | table _time Weekday Weekend | timewrap d series=short | rename Weekday_s0 AS current_weekday | rename Weekend_s0 AS current_weekend | addtotals Weekday_* fieldname=sum_weekdays | addtotals Weekend_* fieldname=sum_weekends | eval day=lower(strftime(_time, "%A")) | eval curr_day=if(day="saturday" OR day="sunday", current_weekend, current_weekday) | eventstats max(curr_day) as max_today | eval average=if(day="saturday" OR day="sunday", sum_weekends, sum_weekdays/5) | eval anom_upper=if(curr_day>10*average, max_today/2, 0) | eval anom_lower=if(curr_day<average/50, -(max_today/2), 0) | table _time, _span, curr_day, average, anom_upper, anom_lower
As I mentioned before, I am searching over the past 7 days and currently hardcoding the "divide by" value in calculating the average (I don't divide the weekend sum as there is only 1 weekend day to compare to right now, and I am dividing the weekday sum by 5). Any thoughts on how to get rid of the hardcoding (preferably without any subsearches) would be so appreciated!
Thanks!
... View more