hey all, im working on a network overview dashboard. what i currently have is a saved search showing the last 7 days (per hour) of firewall denies but that information is useless without a baseline. so what i need is an overlay of the monthly average by week per hour. (if im not clear enough here let me know)
let me define this a little more.. my overlay needs to be a monthly average, my graph is over the past week, and my sample rate (or span) is by the hour. but my issue here is two-fold, first im not sure how to do the average, second i dont know how to do the overlay. if anyone has done this before or knows how to go about this i would greatly appreciate it!
Alex
UPDATE: here is where i'm stuck right now..
(index=cisco* OR index=f5 OR index=app) linecount=1 | search action="blocked" | bucket _time span=1h | stats count by _time
im thinking using another bucket to create week groups to average by hour..
UPDATE#2: im getting closer, what would make this possible would be having a "day-of-the-week" value concatenated with "hour-of-the-day" value ie date_wday and date_hour merged with counts per hour for the last for weeks (snapped to hour) which would give me 4 counts to avg per day:hour. can anyone help from here?
UPDATE#3: ok i have assigned date_hour and i can stas count by it now, but i cant calldate_wday and if i look at my field extractions i dont see it, how do i extract it? if i can get wday:hour as a field to count by then i can avg and create the graph. google seems to be failing me right now not sure where else to turn to.