I am trying to create a search to show the previous 24 hour count using timechart so I can show the previous 24 hours with a trend on the single value in a dashboard. This dashboard will be used in real-time, so I am looking for previous 24h from the current time, not day by day. I have the following search.
(search) earliest=-48h | timechart span=24h count
I have determined the results are from the previous 48 hours, but the results are not grouped correctly. I'm looking for 2 results, now-24h and 24h-48h. The groups are split over 5pm, no matter what time the search is ran.
_time count
2016-06-17 17:00 12
2016-06-18 17:00 71
2016-06-19 17:00 55
↧