Hello
This subquery will calculate the most granular possible span value for a given time range:
| timechart [ search index=_internal | head 1 | addinfo | eval span=ceil((info_max_time-info_min_time)/1000)."s" | return span] count
If you want exactly as you asked for, you can use this one instead:
| timechart [ search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=case(timerange<4000,"1m",timerange<90000,"15m",timerange<606000,"1h",timerange<2700000,"4h",1=1,"1d") | return span] count
Hope it helps
... View more