I can't find the correct syntax to search the last 15 days of logs, relative to the latest entry. My current search is as follow:
source="test.log" CPUUsage=* | timechart span=20m max(CPUUsage)
If I change the time range to "latest 15 days", it's relative to NOW, not the latest event.
I don't know if this the best way to do it, but it is one way.
source="test.log" CPU_Usage=* | join [| metadata type=sources source="test.log"| stats max(lastTime) as latest] | timechart span=20m max(CPU_Usage)
That work with a few changes.
source="*test.log*" CPU_Usage=* [ search CPU_Usage=* | head 1 | eval earliest=relative_time(_time,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=20m max(CPU_Usage)