Hi MuS, Thank you for your help! 🙂 I think the fact that the _time value on the second row display 1970-01-01 01:00:00 is due to a bug because the count value match with my tests. Regarding the query, you just have to remove the /2 in the span value to make it work. Like this: index=_internal [ | gentimes start=-1 | eval earliest=now() - ( round(tonumber(now()-relative_time(now(), "$time.earliest$")),0) *2 ) | return earliest ] sourcetype=splunkd| timechart [ | gentimes start=-1 | eval span=now() - ( round(tonumber(now()-relative_time(now(), "$time.earliest$")),0)) | return span ] count | reverse One last thing, if you want to use this with datamodels , use tags. Like this: tag=ids tag=attack action=blocked [ | gentimes start=-1 | eval earliest=now() - ( round(tonumber(now()-relative_time(now(), "$time.earliest$")),0) *2 ) | return earliest ] | timechart [ | gentimes start=-1 | eval span=now() - ( round(tonumber(now()-relative_time(now(), "$time.earliest$")),0)) | return span ] count | reverse Regards, Iranes ... View more

Hi MuS! I try your query but modified it a little because the result showed more than 2 row and the _time value of the first row doesn't match with the time picker value. (ex: i run the search at 16h32 and the time picker is 60min ago. Your query display 16h10 while the modified version show 15h32 (which describe an interval of 1hour (15h32 to 16h32)) Here is the modified version: index=_internal [|gentimes start=-1 | eval earliest=now() - ( round(tonumber(now()-relative_time(now(), "$time.earliest$")),0) *2 ) | return earliest ] sourcetype=splunkd | timechart [|gentimes start=-1 | eval span=round(tonumber(relative_time(now(), "$time.earliest$"))/2,0) | return span ] count Regarding to the second row, as you can see in the pic the _time value is not correct I think because there is a problem with the span or earliest value because if i remove the "/2" it show me the 1970 January 1st (2016-1970 =46 and 46/2=23 ; so 2016-23=1993) PS: Could you explain me each instruction of your query to be sure I understood? Regards. Iranes ... View more

Thank you for responding so quickly! I try your request, "the easy way" request exactly , and it returns me "Search is waiting for input...", and it's because of $time.earliest$ i thought the $time.earliest$ and $time.latest$ are the two variables that define the range of the time picker. Otherwise, i would like (if my search start at 14h42 and the time picker is 60 minutes) to see in the _time column at the first row 13h42 (13h42 - 14h42), then the second row 12h42 (12h42 - 13h42). My needs are close to this topic: https://answers.splunk.com/answers/333319/how-to-create-a-search-to-show-a-trending-single-v.html But as you can see, this search is static, that mean if we change the time picker the result will not match. ... View more