I can't seem to find a solution for this. I've created a chart over a given time span. I've been able to add a column for the totals for each row and total averages at the bottom but have not been able to figure out how to add a column for the average of whatever the selected time span would be.
What I have so far ....
index=*
| bucket _time span=1d
|convert ctime(_time) AS date timeformat="%Y/%m/%d"
| chart count over host by date
| addtotals
| appendpipe [stats avg(* ) as *]
↧