Hi,
I currently have a search that I use to allow me show day variances using timewrap. It works fine with low amount of data but I don't believe it is probably the best for efficiency.
My aim for the search is to show today, yesterday and last week on a line chart.
Search:
index=abc earliest=-8d@d latest=+d@d | timechart span=15m count | timewrap 1d | fields _time latest_day 1day_before 7days_before
Time range:
@d+6h - now
So my search goes and obtains all the previous days and only keeps the 3 i require. If this can be improved then i would appreciate the help.
Thanks
↧