Basically, I want to plot a baseline (average count per host over 1 week) over an existing graph I have of my "top 10 talkers".
Dropping this problem down to two hosts for simplicity, let's say I have a host, "foo". When I run | tstats count WHERE (host=foo* OR host=bar*) by host, _time , I get a table similar to the following:
host | _time | count
foo | 2018-11-11 | 3719
foo | 2018-11-10 | 1344
foo | 2018-11-09 | 9615
bar | 2018-11-11 | 4894
bar | 2018-11-10 | 8897
bar | 2018-11-09 | 128
Now, what I want to do is the following:
Average all days OTHER than the current day (In the above example, get the average of the count of the 9th and 10th) per host. [EX: Average of 9th and 10th for Foo is 5,479.5, Average of 9th and 10th for Bar is 4,512.5]
Add the average taken as a new column for ALL days of that host, including today.
I then want to discard all entries older than today, leaving me with just today's foo and bar values, as well as their averages over the previous two days.
I then want to plot these two in a bar graph, with a line through the bar showing the average value (or some other similar marker over the bar to indicate what the average the previous 2 days was).
So really, I want my results to look something like this.
Here's what I have now.
| tstats count by host, _time
| eval time=_time
| eval day=strftime(time,"%j")
| eval today=strftime(now(),"%j")
| eventstats avg(count) by host AS average | where day<today
| sort -count
Basically I can't figure out: How do I get the where clause ONLY to apply to the eventstats clause (AKA "Perform an eventstats only on results where day)?
... View more