Hello,
I have a search where I would like to compare the count of one search result against its running weekly average. This appears to work. However I would like to replicate this search across 14+ values for Field. I was building a dashboard with each field value as a separate report, and I couldn't help but to wonder if there was a way for me to append all the search results together. As written, I know I'll need to add an evaluation for naming the row, but it also parses incredibly slow. Both searches share the portion "foo", differing only by their Field value, is there any way to reuse the search result in parallel like this or is my general approach wrong?
foo Field="Bar" earliest=-7d latest=@h
| timechart span=1h count
| eval StartTime=relative_time(now(), "-24h@h")
| eval Series=if(_time>=StartTime, "Todays ", "Average ")
| eval Hour=strftime(_time, "%H")
| chart avg(count) by Hour Series
| where Hour=strftime(now(), "%H")
| append
[search foo Field="Baz" earliest=-7d latest=@h
| timechart span=1h count
| eval StartTime=relative_time(now(), "-24h@h")
| eval Series=if(_time>=StartTime, "Todays ", "Average ")
| eval Hour=strftime(_time, "%H")
| chart avg(count) by Hour Series
| where Hour=strftime(now(), "%H")]
... View more