How does this subsearch work you might ask? Well noop | stats count in a subsearch is a trick to generate a single event, with a single field of count=0, by running the undocumented "do nothing" noop command, and then counting that nothing with stats. We use addinfo to add fields to our single event about the selected time window for the search, and then use eval to calculate the earliest and latest time based on the selected time window using the relative_time function. We only care about the earliest and latest fields from this subsearch, so we throw the rest away using fields. Finally, as earliest and latest should be written into the search as earliest=### latest=###, with no surrounding parenthesis, no ANDs nor any ORs, we use the format command to do just that.
The rest of the search is the same as written.
Now it might be possible to get this running with multisearch command to run your search twice at the same time, and chart them onto the same graph, but I'm getting some unexpected results with a quick smoke test.
You may also be interested in the timewrap app & command as it would make stuff like this easier 🙂