We have a dashboard and wanted to add timepicker into this but it's not working since the following base search has earliest and latest it's hard coded. I'm wondering if we have any other way to add time picker by sustituting the earliest and latest with something and also improve the speed of the dahboard ? Here is the query
index=foo sourcetype=xyz earliest=-0d@d latest=now| bin _time span=5m
| stats dc(ecn) as Current by _time
| appendcols [ search index=foo sourcetype=xyz earliest=-7d@d latest=-6d@d |eval _time=_time+60*60*24*7
| bin _time span=5m |stats dc(ecn) as LastWeek by _time ]
| appendcols [search index=foo sourcetype=xyz earliest=-14d@d latest=-13d@d
| bin _time span=5m |stats dc(ecn) as TwoWeeksAgo by _time]
| appendcols [search index=foo sourcetype=xyz earliest=-21d@d latest=-20d@d
| bin _time span=5m |stats dc(ecn) as ThreeWeeksAgo by _time]
| appendcols [search index=foo sourcetype=xyz earliest=-28d@d latest=-27d@d
| bin _time span=5m |stats dc(ecn) as FourWeeksAgo by _time]
| eval AvgOfFourWeeks=(LastWeek+TwoWeeksAgo+ThreeWeeksAgo+FourWeeksAgo)/4
| eval Diff1=LastWeek-Current | eval Diff2=AvgOfFourWeeks-Current
| eval Est_Impact= Diff1-Diff2
| fields _time Current LastWeek AvgOfFourWeeks Diff1 Diff2 Est_Impact
↧