I'd like to plot in a timechart the count of events over the last 30 days.
In addition to this, I'd like another line which plots a line over the same period from a static value which is derived from the total of counts over the last month / 22.
Whilst I have no problem displaying the count of events over 30 days, I'm unsure as to how to plot a static value (ie. calculate a static value and plot it against all times as a threshold).
The following displays the average based on monthly count.
[[search>]] earliest=-30d@d latest=@d
| bucket _time span=1d | stats count as Volume by _time | rename _time As Date | eval Date = strftime(Date, "%a, %b %d")
| eventstats avg(Volume) as "Threshold Volume" | rename Volume as "Daily Volume"
However I actually want the 'Threshold Volume' to instead be derived from Volume / 22.
Thanks in advance for your help
... View more
