I'd like to assess how many events I'm getting per hour for each value of the signature field. However, stats calculates an average that excludes the hours that don't return any events (i.e., this isn't a true average of events per hour). I know how to accomplish this if I'm using a static time scope - however, I'd really like to leverage this search in a dashboard with a timepicker . My search is as follows...
| mvexpand signature
| bucket _time span=1hour
| stats count by signature,_time
| stats avg(count) as average by signature
| eval average=round(average,2)
| sort - average
... View more