I have this search, and it works correctly:
source=foo resource=bar earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)"
| chart max(usage) over id by Day | where Yesterday!=Today | sort Today
It shows Today's bar on the left of Yesterday's bar for each id. I tried to reverse the order, to show Yesterday's bar on the left of Today's bar for each id, but did not find a way to make it work unless I rename the column(s), e.g. rename "Yesterday" to "Before" and rename "Today" to "Now". It appears that the default behavior is to sort in alphabetical order. Is there a better way to do this?
Thank you
... View more