Hi,
I have a problem with comparing today's data with data from a week ago. Here is the query I run:
sourcetype="abc" Service="xyz" earliest=-0d@d latest=now | eval ReportKey="Today" | append [search sourcetype="abc" Service="xyz" earliest=-7d@d latest=-6d@d | eval ReportKey="LastWeek" | eval new_time=_time+60*60*24*7] | eval _time=if(isnotnull(new_time), new_time, _time) | timechart avg(Time) by ReportKey
This works to some extend. The issue is that the subquery - data from a week ago - does not appear fully. Meaning I can see data from 4PM until midnight but not prior to 4PM and I know for a fact that there is data for the entire day - starting at 00:00:01AM.
Can someone help me with this one?
Thank you very much!
... View more