I've got a timechart hooked up to a particular source in my indexes, generated by a script which logs events looking like this every five minutes:


Ready,205
Not Ready,108


A field extraction has been set up on those numbers as ReadyCount and NotReadyCount respectively.

I can timechart these successfully with a string like:

host="my.internal.host" ready latest=now latest=-2d@d | timechart span=5m first(NotReadyCount) as "Not Ready", first(ReadyCount) as "Ready"

This search is connected to a dashboard graph.

My problem is, if I keep that same span and increase the time box to -7d@d, I only get a couple days worth of graph, even though the raw results show me getting all the results I'd hoped for. If I've got, say, two weeks worth of results, the larger time box will result in me getting a graph containing the first 4 days or so.

If I increase the span to 20m, I get a graph containing the last week worth of results like you'd normally expect. Unfortunately, for our purposes, we need the 5 minute resolution on the graph, so reducing the span is not a usable solution, nor is any averaging on the graph results.

How can I get all of my results to show up in the graph correctly?