| makeresults count=2
| streamstats count
| eval _time=if(count=2,relative_time(_time,(-1*count)."y@y"),_time)
| makecontinuous span=1d _time
| timechart count span=1d
| eval diff=tostring(now() - _time,"duration")
| rex field=diff "(?<daysAgo>\d+)\+"
| fillnull daysAgo
| eval acd_date=case(daysAgo <= 32 ,"less32days" , daysAgo <= 42, "less42days", daysAgo <= 72,"less72days" , daysAgo <= 365,"less1year", daysAgo <= 720,"less2years",true(), "over2years")
| dedup acd_date
It's all about order.
... View more