Depending
on the time range or time span selected.
You can
always leverage the timechart command and its functions to better provide and
identify more contexts to discrete data. As in the example below, with the
timechart command, you will bucket the events first into 5-minute interval.
This is well specified by the span parameter.
Index=main
sourcetype=access_combined |eval kb=bytes/1024 | timechart span=5m
