Hi,

I have a dashboard where I'm running a timechart search with tstats. I want to increase the default number of bins for the tstats command, so that if I search for the last 7 days, I get more than only 7 bins. I have a solution to this that works almost fine, shown below.

| tstats local=f prestats=f count WHERE index=main BY _indextime, _time [search index=main | head  1 | eval span=tostring(ceil((now()-relative_time(now(), "$time_token.earliest$"))/500))."s" | return span] | eval diff=_indextime-_time | fields - count | timechart bins=500 cont=t avg(diff) AS "Average", median(diff) As "Median" | eval Threshold=3600

The sub-search here is the key part. It extracts the duration from the sat time with the time picker, and divides it by 500. For example, if I search for the last 7 days, the returned span for tstats will be 1331s. I'll copy it inn below.

[search index=main | head  1 | eval span=tostring(ceil((now()-relative_time(now(), "$time_token.earliest$"))/500))."s" | return span]

Two problems:

1. I rely on the sat time picker being in the form of "last x days/hours". For example, if someone wants to see data for a certain day three weeks ago, it wont work. The span sub-search will in this case return (three weeks to sec)/500, when it should return (on day to sec)/500. In the sub-search, I can't change "now()" to "$time_token.latest$" either, because in a case like "last 7 days", $time_token.latest$ will return the string "now", which doesn't work with the relative_time command.
2. Is there a prettier way of returning the span than doing the whole "search index=main | head 1"-thing? Starting the sub-search with just "| eval" doesn't seem to work.

Any help is greatly appreciated, thanks!