@llidan, since you seem to be monitoring Windows Event Viewer Log data, you should have default fields like date_hour, date_mday etc extracted from _time. You can use these in your base search to filter only required events from (22-23) PM and (0-5) AM.

Following is a query as per your current search which will pull previous month data. Hour data is from 22-23 and 0-5. Alternatively if you are on 6.6. or higher, you can also use date_hour IN (0,1,2,3,4,5,22,23).

EventCode=4624 Keywords="Audit Success" Logon_Type=10 OR Logon_Type=2  (date_hour>=22 AND date_hour<24) OR (date_hour>=0 AND date_hour<6)   earliest=-1mon@mon latest=@mon
| stats count(eval(date_hour>=22 AND date_hour<24)) as night_window count(eval(date_hour>=0 AND date_hour<6)) as morning_window by date_year date_month date_mday
| streamstats last(date_mday) as previous_date last(night_window) as previous_night_window current=f window=1
| eval daily_total=morning_window+previous_night_window
| eval Date=date_year." ".date_month." ".date_mday
| where isnotnull(daily_total)
| fields Date daily_total

PS: I have used streamstats to pull previous date and night window event count to total in the current date morning window. As your time window spans across two days.

Alternatively, since you need 22, 23 hours from previous day to be accounted in the next day, you can also mess with your _time and push it by 2 hours so that 22, and 23 from previous day become 0 and 1 on the same day.

EventCode=4624 Keywords="Audit Success" Logon_Type=10 OR Logon_Type=2  date_hour IN (0,1,2,3,4,5,22,23)
| eval _time=relative_time(_time,"+2h")
| timechart span=1d count
| where count>0

Please try out and confirm!