To follow up on my comment above...this is definitely not very pretty, but it seems to be working:
| timechart span=15m avg(num_x) as avg_data | eval day_of_week=lower(strftime(_time, "%A")) | eval Weekend=if(day_of_week="saturday" OR day_of_week="sunday", avg_data,0) | eval Weekday=if(day_of_week!="saturday" AND day_of_week!="sunday",avg_data,0) | table _time Weekday Weekend | timewrap d series=short | rename Weekday_s0 AS current_weekday | rename Weekend_s0 AS current_weekend | addtotals Weekday_* fieldname=sum_weekdays | addtotals Weekend_* fieldname=sum_weekends | eval day=lower(strftime(_time, "%A")) | eval curr_day=if(day="saturday" OR day="sunday", current_weekend, current_weekday) | eventstats max(curr_day) as max_today | eval average=if(day="saturday" OR day="sunday", sum_weekends, sum_weekdays/5) | eval anom_upper=if(curr_day>10*average, max_today/2, 0) | eval anom_lower=if(curr_day<average/50, -(max_today/2), 0) | table _time, _span, curr_day, average, anom_upper, anom_lower
As I mentioned before, I am searching over the past 7 days and currently hardcoding the "divide by" value in calculating the average (I don't divide the weekend sum as there is only 1 weekend day to compare to right now, and I am dividing the weekday sum by 5). Any thoughts on how to get rid of the hardcoding (preferably without any subsearches) would be so appreciated!
... View more
Thanks for following up--I really appreciate it.
Yup, I finally figured out that the issue was with how I put the regex search together. As I was experimenting around with the dashboard panel, I had somehow gotten my rex part to look something like:
| eval str="$text$"
| rex field= str"regex...."
That extra space after the equal sign and the deleted space after "str" completely did me in! I totally didn't notice it as I thought the issue was with the value of str coming from the dashboard textfield and str not being a field.
Then I read that the eval command actually creates a new field. One thing led to another, and I realized that all my regexes that were working looked different from the one I was currently working on...got to love syntax errors! Now I know!
... View more