21 Aug 2024 10:06 AM
I am trying to create a row-by-row comparison in DQL. However, the query so far is a time frame and hence one row. I want to create a row for each interval in the time frame. But I can't find a way to expand this time frame. Does anyone know how I can create a new row for each interval?
This the query so far.
timeseries ThisWeek = avg(log.payment.amounteur),
from: now() -30m,
by: { payment.status, payment.airline },
filter: { payment.status == "APPROVED"
AND payment.airline == "KL" }
| join on: { payment.status, payment.airline },
[timeseries LastWeek = avg(log.payment.amounteur),
by: { payment.status, payment.airline }, shift: -24h],
fields: {LastWeek}
| fields timeframe, ThisWeek, LastWeek
29 Aug 2024 12:59 PM
It is doable using using special start() or end() functions which can be used in timeseries command to produce timeseries with timestamps and use of expand command. Expand without additions I mentioned of course works, but you will loose time information for datapoint.
Here is example query on demo data:
timeseries cpu=avg(dt.host.cpu.usage), t=start()
| fieldsAdd cput = record(cpu=cpu[], t=t[])
| expand cput
| fields cpu=cput[cpu], t=cput[t]
and result looks like this:
But I think some comparisons can be also made using timeseries (arrays) without expanding as corresponding values have same index in the arrays). What comparison do you want to make?