Thanks for the guidance! it was much easier than I thought- I adjusted my query using the span flag in timechart and then embedded the code in my dashboard and locked that to run with a relative range (past 1 month). To answer your question, I was hesitant as I was thinking that Timechart would not be able to deal with the sporadic push to Splunk of the day- using span=3d fixed this so it is a readable chart... end result: index="google" sourcetype="*directory*" "emails{}.address"="*@mydomain.com" | timechart count by archived span=3d
... View more