I had a very similar requirement... you just need to bucket into 5 minute increments then bucket again into a larger window (eg. 1 hour) and calculate the average over than span:
host="web*.p1.dfw.minted.com" (source="/srv/minted/logs/app-requests.log" OR source="/srv/minted/logs/app-requests.log-*") | jsonkv | search NOT isnull(visitor_id) |
bucket _time span=5m | stats dc(visitor_id) as visitors by _time | bucket _time span=1h | timechart span=1h avg(visitors) as avg_visitors
All the best,
Luke 🙂
... View more