Comparing Averages Over Search Intervals

You can compare the average (m1) of a search over the “last 24 hours” with the “latest 1 hour” of the same average (m1). Run the search on “24h” for that.

filters... | [avg(m1,as=all), bucket(function=avg(m1,as=lastHour), span=1h)] | rename(_bucket,as=@timestamp) | tail(2) | head(1)

That calculates the average over whatever the search interval (max 1500 hours) and gets you that next to the average of the latest hour. In this case for the field “m1”.