Interesting, but it goes back only 48 hours. How to make it 7 days or with a time picker?
My search is:
index=wineventlog earliest=-48h
| eval _time=if(_time>relative_time(now(), "-24h"),now(),relative_time(now(), "-24h"))
| timechart span=24h count by login_status

Thanks,

I have to show the trend over a 24 hours period comparing the occurrences in the last 24 hours with the ones in the 24 hours before, starting from the actual time: so if I start my search at 11 A.M. of the 5th of april, I need to have the result in two periods:
from 2015-04-04 11.00.00 to 2015-04-05 10.59.59
from 2015-04-03 11.00.00 to 2015-04-04 10.59.59

instead timechart divides results only by days
2015-04-05 547
2015-04-04 1032
2015-04-03 621
but probably it isn't possible.

Thank you.
Giuseppe

hi @gcusello,

I have the same query where i have to show the trend for last 24hrs which is working fine but the count of alerts is coming as of now or today not for last 24hrs . can you please help if you have got any solution .

Here is my query which i am using currently.

myquery | lookup abc.csv Device output Type | where isnotnull(Type) | timechart span=1d count(Status) as Total | trendline sma2(Total) as Trend

yes I tried both with span=1d and span=24h (I know that it's the same thing!)
The problem is that timechart divides always results by day, instead I'd like to have a division by span period, but probably it isn't possible.
Thank you.
Giuseppe