that's one of doing it.
I would suggest building it as follows:
for example
earliest=-31d latest=-1d | where strftime(_time, "%H") > "18" AND strftime(_time, "%H") < "21" | stats count(FIELD) over _time
Thank you. I am planning to use this in a monitoring scenario so if error counts in last 30 minutes increase more than the 30 day average (during the same 30 minutes) then we have a problem. So would you recommend sticking to rounded 30 minutes or do last 30 minutes?