So I need to get the latest sales stats by country over many different timescales (like right now, so far today, last 7 days. so far this month, last 4 weeks, so far this year, etc)
So I created a an efficient saved search for the year, which summarises sales by country,day
Then i created the multiple charts for different timeframes, but no matter how I try and set earliest and latest times, they are ignored and all charts are for 'All-Time'
Saved Search:
index=blah host=xxx sourcetype=sales COUNTRY!=NULL earliest=@y latest=@d date_hour>22 | append [|search index=blah host=xxx sourcetype=sales COUNTRY!=NULL earliest=@d latest=now] | table _time VALUE_IN_EURO COUNTRY date_wday date_mday date_month date_year
PostProcess Search:
stats latest(VALUE_IN_EURO) as euro by COUNTRY,date_mday| stats sum(euro) by COUNTRY
Now lets say I want to try and get a relative timescale like last 7 days, I have tried the following:
Setting the timepicker in the simple xml panel editor to last 7 days. (gets reset to alltime afterwards)
Setting -7d@d using the earliest tag in the search tag
Setting -7d@d using using the earliestTime tag in the search tag
Changing the PostProcess Search to search earliest=-7d@d latest=now | stats latest(VALUE_IN_EURO) as euro by COUNTRY,date_mday| stats sum(euro) by COUNTRY (produces zero results)
Its driving me mad! Any help appreciated!!! Or maybe its just not possible to filter the results of a saved search by time? Though it seems like a fairly obvious use of a saved search to produce an efficient dasboard 🙂
... View more