Not sure if this is what you are looking for ? index=k8s_events namespace=ecom-middleware NOT method=OPTIONS response_code>200
| bin _time span=1d
| stats count by path _time
| streamstats window=5 sum(count) as total_count avg(count) as avgCount by path
| fields _time path total_count avgCount Say you run that search over the last 30 days, where each row is a unique day with path . And each row has a '_time' field, and an 'avgCount' field. The avgCount field will be the average events per day, during that day and the 4 days preceding it.
... View more