I faced a similar issue and resolved it by creating an "inverse" timestamp and using that to bucket events on instead of _time. For example: ... | eval repoch=relative_time(now(),"+0d@d-1d") Pick a latest time (I was interested in values upto and including yesterday) | eval retime=repoch-_time Calculate time prior to your new epoch | bin retime span=7d Set bin based on new time (this gets 7 days prior going backwards) | stats dc(_time) as days, sum(count) as count by Column, retime I was interest in counts over 7 days.  | where days = 7 | ... I then only took complete weeks going forward Obviously the date can be recovered by subtracting from repoch again if you need it. ... View more