30 Oct 2024 02:30 PM
I have a query used to show open/resolved problems with a makeTimeseries. I would like to have a comparison of the same information, just a week ago, for trending reasons. Would there be a way to do this? Switching to timeseries? Timeseries has a shift command that may be useful
fetch dt.davis.problems
| filter isnotnull(display_id)
| filter isFalseOrNull(dt.davis.is_duplicate)
| dedup display_id
| makeTimeseries
count = count(),
spread: timeframe(from: event.start, to: coalesce(event.end, now())),
by:{event.status}, interval:1h
| sort event.status desc
Solved! Go to Solution.
31 Oct 2024 12:30 AM
Hi @wmisenhe , try the dt.davis.problems.snapshots if you are after a longer trend analysis of problems , here is an example
fetch dt.davis.problems.snapshots, from:now() - 14d
| filter isnotnull(display_id)
| filter isFalseOrNull(dt.davis.is_duplicate)
| dedup display_id
| fieldsAdd day = bin(timestamp, 24h)
| summarize by:{day, event.status}, count = count()
31 Oct 2024 01:21 AM
Hey @wmisenhe
You can append a new query of the same data but with a different timeframe. Then within that appended query you can override the timeframe to be the one from the original query. This will allow you to layer 2 timeseries of different timeframes on top of each other. The last thing to do is to change the graph settings to use the timeframes from the data and not the queries as seen below.
fetch dt.davis.problems
| filter isnotnull(display_id)
| filter isFalseOrNull(dt.davis.is_duplicate)
| dedup display_id
| makeTimeseries
count = count(),
spread: timeframe(from: event.start, to: coalesce(event.end, now())),
interval:1h
| append [
fetch dt.davis.problems, from:now()-60d, to:now()-30d
| filter isnotnull(display_id)
| filter isFalseOrNull(dt.davis.is_duplicate)
| dedup display_id
| makeTimeseries
countPrev = count(),
spread: timeframe(from: event.start, to: coalesce(event.end, now())),
interval:1h
| fieldsAdd timeframe = timeframe(from:now()-30d, to:now())
]
Hope this helps!