I'm trying to search through my logs and extract sum(x) for a time of 7am to 7am. If I search for exactly one 24h period, from 7am-7am (-1d@d+7h,@d+7h), I get the expected answer. However, if I set the timeframe to 48h, (-2d@d+7h,@d+7h), I get the wrong answer.
Example: (-1d@d+7h,@d+7h) custom time frame index=foo other-stuff-here | chart sum(saveSize) as TotalSize(KB)
I get the expected result of 123456KB
This works for 48h sum: (-2d@d+7h,@d+7h) custom time frame
index=foo other-stuff-here | chart sum(saveSize) as TotalSize(KB)
However, I want a chart of 2 - 24h periods in the specified 48h. I tried a couple things which failed.
Gives me one sum for all 48h and doesn't 'split' by bins: index=foo other-stuff-here | bucket _time bins=2 | chart sum(saveSize) as TotalSize(KB) by _time
Gives me 3 buckets, one for each 'day' the 48h spans. index=foo other-stuff-here | bucket _time span=24h | chart sum(saveSize) as TotalSize(KB) by _time
Any thoughts?
... View more