Hi I have this query too find queries which search span is more than 90d. index=_audit action=search info=completed NOT is_realtime=1 earliest=0 | eval search_et = if(search_et="N/A", 0, search_et) | eval search_lt = if(search_lt="N/A", exec_time, search_lt) | eval srch_window = ((search_lt-search_et)/86400) | eval lookback = case( round(srch_window) <= 1, "-1d", round(srch_window) > 1 AND round(srch_window) <= 7, "1-7d", round(srch_window) > 7 AND round(srch_window) <= 10, "7-10d", round(srch_window) > 10 AND round(srch_window) <= 30, "11-30d", round(srch_window) > 30 AND round(srch_window) <= 60,"30-60d", round(srch_window) > 60 AND round(srch_window) <= 90, "60-90d", 1=1, "+90d" ) | search lookback="+90d" | table user info event_count result_count search | stats count avg(event_count) as avg_event avg(result_count) as avg_results values(info) as info by search, user | sort 0 -count You probably could modify it for your needs? r. Ismo  ... View more