So, I have been working on your proposals yesterday and today. I finally got it working. Your proposed query did not work, unfortunately. I did manage to create a report that runs every 5 minutes and calculate the count for the past 2 weeks. This is stored in the summary index and from there I create the timechart. I had some trouble with the events being stored with a timestamp of 2 weeks earlier. I managed to get that to work by adding | eval _time=now() at the end of my report search statement and that got me the correct timestamp in the summary index. Anyway, thank you for your help, I cannot accept your post as the solution since there is also the query you proposed but the summary index was the way to go!
... View more