You could bin _time into the appropriate size buckets depending on how wide your timeframe is. Use addinfo to retrieve the start and end times being used for the search, work out how many days. Also, bin _time into different buckets (daily, weekly, monthly). Finally, reset _time to be the appropriate bucket value depending on the timeframe. Here I have used 14 and 28 days as breakpoints but you can use whatever values you like. Insert this code before your stats command. | addinfo
| eval _timeframe=info_max_time-info_min_time
| eval _days=floor(_timeframe/(60*60*24))
| bin _time as _daily span=1d
| bin _time as _weekly span=1w
| bin _time as _monthly span=1mon
| eval _time=case(_days<14,_daily,_days<28,_weekly,1==1,_monthly)
| fields - info_* _timeframe _days _daily _weekly _monthly
... View more