I have a string field (publication_date) that is displaying a date in the following format YYYY/mm/dd. Ultimately I would like to display in a dashboard any logs displaying a publication_date within the last 7 days. I suspect I am having trouble because it is a sting field and not numeric but have been unsuccessful in finding the correct syntax. ... View more

Here is the search that I am attempting: (Intended outcome: compare login successes from a 24 hour period to an average of login successes over a 30 day period. Complication: logs are stamped with UTC) index=myindex type=user_auth acct=admin OR acct=temp res=success earliest=-24h | eval local_date_hour = strftime(_time, "%H") (adjustment for logs stamped with UTC) | stats count as Recent_Event_count by local_date_hour |** join** local_date_hour [search type=user_auth acct=admin OR acct=temp res=success earliest=-30d@d | eval local_date_hour = strftime(_time, "%H") (adjustment for logs stamped with UTC) | stats count by local_date_hour | addinfo | eval days = round((info_max_time-info_min_time) / 86400) | eval Average_Event_Count = round(count / days, 2)] | fields local_date_hour, Average_Event_Count, Recent_Event_Count | sort +local_date_hour For some reason the "Average_Event_Count" is not calculating properly. For example if my Recent_Event_Count for hour 1 is 39766, the Average_Event_Count is showing 12022.07, which is a fraction of the anticipated results. If I remove the join and perform each of the searches separately, expected results are returned for each count. This leads me to believe that the join is causing an issue. I should also note that I am using a very similar search (without adjustments for UTC) for other dashboard panels and it seems to be calculating as expected. Even if I remove the adjustment for UTC, the problem remains. I am hoping there is an uncomplicated answer as I am a new user 😃 ... View more