@wjrbrady Splunk timechart command’s span argument must be a fixed value per search execution—you cannot dynamically change the span within a single timechart based on the hour of the day. How...
See more...
@wjrbrady Splunk timechart command’s span argument must be a fixed value per search execution—you cannot dynamically change the span within a single timechart based on the hour of the day. However, you can achieve similar logic using a combination of eval, bin, and append Eg: using append ( search ... earliest=@d latest=now | eval hour=strftime(_time,"%H") | where hour > 7 AND hour < 19 | timechart span=10m sum(count) as count ) | append ( search ... earliest=@d latest=now | eval hour=strftime(_time,"%H") | where hour <= 7 OR hour >= 19 | timechart span=1h sum(count) as count ) | sort _time Also if you want a single timeline but with custom buckets, you can create your own time buckets using eval and bin Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos. Thanks!