I'm trying to do a chart with a timeline as to when notable events come into our environment. A simple search with a time picker works well:
`notable` | timechart count span=1h
This gives us a column chart with the number of tickets that came in per hour.
What I would like is a chart over the past 7 days with the amount of tickets that came in per hour. I would then like to overlay another chart with the average times tickets came in over the past 3 weeks. We have another search that does this for failed logons so working off of that one I came up with this search. However, it looks like the "earliest" and "latest" commands aren't working with our `notable` search. Can anyone assist me with getting hard set time frames working with the `notable` search?
`notable` |where earliest=-7d@h| timechart count span=1h as "Tickets by Hour"|appendcols [search `notable` | where earliest=-14d@h latest=-7d@h| timechart span=1h count as "notables1"]|appendcols [search `notable` |where earliest=-21d@h latest=-14d@h| timechart span=1h count as "notables2"] |appendcols [search `notable` | where earliest=-28d@h latest=-21d@h| timechart span=1h count as "notables3"] |eval NotablesTotal = ("notables1" + "notables2" + "notables3") |eval NotablesAverage = round(NotablesTotal/3,0) |fields - notables1 notables2 notables3 NotablesTotal |outlier action=transform
↧