Thanks @DavidHourani - that could be it, although the sample size is every 30 minutes, so I would have thought that 7 days would only have had 7*48=336 data points. the base
e.g.
<search base="baseSearch">
<!-- Group the events into 30 min block so we can get some realistic averages for success/failure percentage. If we use a shorter duration, the numbers fluctuate too much -->
<query>
<![CDATA[
| bin _time minspan=30m
| stats sum(success_count) as success_count sum(partial_count) as partial_count sum(failure_count) as failure_count sum(count) as count avg(avg_duration) as avg_duration by _time, SERVICE
| eval success_rate=((success_count/count)*100)
| stats sparkline(avg(success_rate)) as "Success Rate Trend" avg(success_rate) as "Success Rate Avg" first(success_rate) as "Success Rate Last" sum(success_count) as success_count sum(partial_count) as partial_count sum(failure_count) as failure_count sum(count) as count avg(avg_duration) as "Avg Duration" sparkline(avg(avg_duration)) as "Avg Duration Trend" by SERVICE
| sort "Success Rate Avg"
]]>
</query>
</search>
If I want it to dynamically modify the span based on the selected time window, is there an easy way to do that within the query? Currently I have a time picker on the page and run the base query based on the values in there, so I have access to variables for $time_token.earliest$ and $time_token.latest$
Thanks,
Phil
... View more