Greetings all. I am trying to use the earliest and latest fields to filter out some event data. This is for the purpose of creating an average and standard deviation for the week prior to an event occurring, thus giving me a rolling average that I can compare certain field values to, and see how many standard deviations away from the average the field falls.

Here is the code I originally used in my subsearch:

|join type=left host [search index=sandbox sourcetype="PSBC_SevOne" earliest=-1w@h |stats avg(GLOBAL_CALLS_PER_SECOND) AS PSBC_AVG_CPS stdevp(GLOBAL_CALLS_PER_SECOND) AS PSBC_STDEVP_CPS avg(GLOBAL_CONCURRENT_SESSIONS) AS PSBC_AVG_GCS stdevp(GLOBAL_CONCURRENT_SESSIONS) AS PSBC_STDEVP_GCS by host]

I would like to modify it to something similar to this:

|join type=left host [search index=sandbox sourcetype="PSBC_SevOne" earliest=-1w@h latest=_time |stats avg(GLOBAL_CALLS_PER_SECOND) AS PSBC_AVG_CPS stdevp(GLOBAL_CALLS_PER_SECOND) AS PSBC_STDEVP_CPS avg(GLOBAL_CONCURRENT_SESSIONS) AS PSBC_AVG_GCS stdevp(GLOBAL_CONCURRENT_SESSIONS) AS PSBC_STDEVP_GCS by host]

However whenever I try to do this it tells me that _time is an invalid entry. Is there any way to get this sort of functionality? I know that when running backfill to pipe the results to a summary index this will work, however for my development environment it can display potentially misleading results.