Hi all. I'm creating a dashboard for one of our systems, and am trying to create a chart that will show the previous 7 days average (baseline), and compare with the ongoing / current daily average. Reason for this would be to see if we're exceeding, or if there are spikes above the weekly average.

Based on the dashboard I'm creating, my search is a little goofy, since I'm piping in an inputlookup, as well as using transaction since there are multiple start/stop times for the entire transaction. So I'm using transaction to get my duration for each job.

Here's an example of my search:

index=blah [| inputlookup myInputLookup.csv | search environment=stage | fields host] | transaction job_guid keepevicted=true

The above will give me a detailed breakdown of start/stop times for my transactions / jobs, based on a guid. This tells me the entire processing time for my transactions. I'm getting my ongoing / current daily average by piping the following:

| timechart avg(duration) AS avg_sec | fillnull value=0

Running this for the day (our dashboard would display all data for current day, and refresh every minute), would show _time & avg_sec (not using span, just letting it timechart for the day automatically). There are gaps since the transactions are not occuring 24/7, which is why I'm filling null with 0.

So my question to you all is, how can I pull the previous 7 days average, into my ongoing / current daily average, in order to compare last 7 days average, with the current day average? Am I going about my averages all wrong? Appreciate the help folks!