index=_internal type=usage idx=wineventlog | bucket span=1d _time | stats sum(b) as sum by h,_time
The above query gives the sum for "b" values over a period of one day. If I run the query for time period of two days I get two sums for "h". Difference between these two sums need to be found.
... View more