Hello,
Sorry if this has been answered before, however, I am struggling with a search that I am trying to build.
The ideal result that I am trying to achieve is the following:
I want a time chart to display the last two hours for a field like duration. In addition to showing the last two hours, I want it to show the same hours, but for the previous 3 days. Therefore, I want to compare the recent/latest two hours with those of the previous days.
I thought I could achieve this with the timewrap app, but I am struggling to write the search
index="main"
[stats count | eval earliest="-4d" | fields earliest]
[stats count | eval latest="now" | fields latest]
| timechart avg(duration)
| timewrap d
Please let me know if I have not provided enough information.
↧