so, this one will give you the _time but only for the last 24 hours: | multisearch [ search index=_internal sourcetype=splunkd earliest=-2w@-24h@h latest=-2w@-0h@h | eval event="1", when="then" ] [ search index=_internal sourcetype=splunkd earliest=-24h@h latest=-0h@h | eval event="1", when="now" ] | bin _time span=1h | fields event when date_hour | chart sum(event) AS events values(_time) AS _time over date_hour by when | where 'events: now' > 'events: then' | table "VALUE_time: now" events* | rename "VALUE_time: now" AS _time the events represented by then are in the same hour just two weeks earlier in this example. cheers, MuS ... View more