Answers for "How can I run a search that will use data from buckets from a specific time interval?"
We can interpret your question a number of ways. Here's one easy way that illustrates what you want to know.
index=foo earliest=-60m@m latest=@m
| bin _time span=10s
| rename COMMENT as "The above gives you 360 time buckets at 10s each"
| rename COMMENT as "roll up each bin, and calculate the average for up to 50 bins before it"
| stats count as mycount by _time
| streamstats current=f count as recno avg(mycount) as avgcount window=50
| rename COMMENT as "throw away the first 50 bins and any bins less than average"
| where (recno>=50) AND (mycount>avgcount)
----------
Also, please remember that, by definition, about half of all bins are going to contain more events than average. If you get no results from the above, then change to `window=51`. (It means I was wrong about whether `current=f window=50` meant the last 50 or the last 49 events.)
----------
If you are looking for bins that are *significantly* above average, then you might want to consider using "average plus some number of standard deviations".
| streamstats current=f count as recno avg(mycount) as avgcount stdev(mycount) as stdevcount window=50
| rename COMMENT as "throw away the first 50 bins and any bins less than average plus 2 stdevs"
| where (recno>=50) AND (mycount>avgcount+2*stdevcount)Thu, 28 Sep 2017 22:50:08 GMTDalJeanis