Hi and Thanks ..
I've been researching and trying methods to do this (even tried timewrap) and am (finally) asking for some help.
Objective: Compare "stats avg(Dur) as ALOC_secs" for a recent single hour with a single hour 1 week ago. Initially, just to get it to 'work', then to trigger an alert based on an unacceptable (yet undefined) delta.
When I use the below search without the stats line, I get a count of results for the desired hours. However, since it is not a count that I need, the 'chart count ...' line (I suppose) is problematic. I haven't found the proper command/syntax to retrieve results that can be displayed and used to build an alert.
Thank you for your help.
sourcetype=sbc2 Sip_Resp=200 earliest=-60m@h latest=-0m@h
| stats avg(Dur) as ALOC_secs
| eval marker="today"
| append [search sourcetype=sbc2 Sip_Resp=200 earliest=-10140m@h latest=-10080m@h
| stats avg(Dur) as ALOC_secs
| eval marker="weekAgo"
| eval w1_time=_time+(7*24*60*60)]
| eval _time=if(isnotnull(w1_time), w1_time, _time)
| chart count(eval(marker=="today")) as lastHour , count(eval(marker=="weekAgo")) as sameTimeLastWeek by _time span=1h
| rename _time AS Time | eval Time=strftime(Time, "%H:%M")
... View more