I've seen elsewhere this technique of adapting _time to suit your purpose and it seems to fit here... index="firewall_std"" src="10.19*.*.*"
| addinfo
| eval BeyondTheHour=info_search_time%3600, _time=_time-(floor(info_search_time%3600+1))
| timechart count, max(BeyondTheHour) as BeyondTheHour span=20m
| eval date_minute=strftime(_time,"%M")
| where date_minute=40
| eventstats max(BeyondTheHour) as BeyondTheHour
| eval startTime=strftime(_time+BeyondTheHour,"%d/%m/%Y %H:%M:%S.%3Q"),endTime=strftime(_time+BeyondTheHour+1200,"%d/%m/%Y %H:%M:%S.%3Q")
| table startTime endTime count The query calculates how-many-seconds-past-the-hour you ran the search (eval BeyondTheHour=info_search_time%3600), winds _time back on all the events by that amount, so now your last 20minutes is represented as the last 20minutes of the previous hour (took me some time to get my head around this so you might need some patience here). Now you can use regular timechart to count the number of events per 20minute span. You want to compare (what is now) the last 20minutes for each hour so remove the others (where date_minute=40). Create a startTime and endTime label for each of your results which adds back in the "BeyondTheHour" factor. Run the query for any time period you like. Try it with today, yesterday, Last 7 days etc. The "last 20 minute" window will always be based upon the time at which you run the query. And it'll always assume you want a 20minute window. If you want auto change this (last 30minutes for example), you need to adjust both the "span=20m" element in the timechart command and the calculation for endTime (penultimate line). Currently I hard code "+1200", which represents your 20 minute requirement (20*60).
... View more