https://community.splunk.com/t5/Knowledge-Management/Search-Only-Returning-One-Column/m-p/95028#M980 <P>Here is the search, putting results in a summary index.</P> <PRE><CODE>sourcetype="SmtpPrevent_operational" dtime=*s | convert auto(dtime) | search dtime&gt;=60 | sitimechart span=1h count(dtime&gt;=60), count(dtime&gt;=120), count(dtime&gt;=180) </CODE></PRE> <P>(longhand version)</P> <PRE><CODE>sourcetype="SmtpPrevent_operational" dtime=*s | convert auto(dtime) | search dtime&gt;=60 | sitimechart span=1h count(dtime&gt;=60), count(dtime&gt;=120), count(dtime&gt;=180) | summaryindex spool=t uselb=t addtime=t index="dtime_plus_60" file="Summary Index DTime 60+,120+,180+ per Hour_1480261911.stash_new" name="Summary Index DTime 60+,120+,180+ per Hour" marker="" </CODE></PRE> <P>Now here is what ends up being in the summary index:</P> <PRE><CODE>10/18/2012 10:00:00, search_name="Summary Index DTime 60+,120+,180+ per Hour", search_now=1350576300.000, info_min_time=1350568800.000, info_max_time=1350572400.000, info_search_time=1350576324.840, psrsvd_gc=27, psrsvd_v=1 </CODE></PRE> Thu, 18 Oct 2012 16:38:11 GMT whod81 2012-10-18T16:38:11Z https://community.splunk.com/t5/Knowledge-Management/Search-Only-Returning-One-Column/m-p/95028#M980 <P>Here is the search, putting results in a summary index.</P> <PRE><CODE>sourcetype="SmtpPrevent_operational" dtime=*s | convert auto(dtime) | search dtime&gt;=60 | sitimechart span=1h count(dtime&gt;=60), count(dtime&gt;=120), count(dtime&gt;=180) </CODE></PRE> <P>(longhand version)</P> <PRE><CODE>sourcetype="SmtpPrevent_operational" dtime=*s | convert auto(dtime) | search dtime&gt;=60 | sitimechart span=1h count(dtime&gt;=60), count(dtime&gt;=120), count(dtime&gt;=180) | summaryindex spool=t uselb=t addtime=t index="dtime_plus_60" file="Summary Index DTime 60+,120+,180+ per Hour_1480261911.stash_new" name="Summary Index DTime 60+,120+,180+ per Hour" marker="" </CODE></PRE> <P>Now here is what ends up being in the summary index:</P> <PRE><CODE>10/18/2012 10:00:00, search_name="Summary Index DTime 60+,120+,180+ per Hour", search_now=1350576300.000, info_min_time=1350568800.000, info_max_time=1350572400.000, info_search_time=1350576324.840, psrsvd_gc=27, psrsvd_v=1 </CODE></PRE> Thu, 18 Oct 2012 16:38:11 GMT https://community.splunk.com/t5/Knowledge-Management/Search-Only-Returning-One-Column/m-p/95028#M980 whod81 2012-10-18T16:38:11Z https://community.splunk.com/t5/Knowledge-Management/Search-Only-Returning-One-Column/m-p/95029#M981 <P>If you just use a normal timechart command are you getting the expected results (3 groups) from your search?</P> <P>Your summary index output seems to reflect only 1 count of results (no grouping!) being saved (as per your question).</P> <P>edit: Actually, looking at your search I wouldn't have expected "count(dtime&gt;=60), count(dtime&gt;=120), count(dtime&gt;=180)" to actually output anything.</P> <P>So your original search needs to be fixed with something like this perhaps :</P> <P>| eval dtime_group=case(dtime &lt;= "60" , "less60", dtime &gt;= "61" AND dtime &lt;= "120", "lessthan120", dtime &gt;="180", "lessthan180") | timechart count by dtime_group</P> Mon, 28 Sep 2020 12:39:58 GMT https://community.splunk.com/t5/Knowledge-Management/Search-Only-Returning-One-Column/m-p/95029#M981 Lucas_K 2020-09-28T12:39:58Z https://community.splunk.com/t5/Knowledge-Management/Search-Only-Returning-One-Column/m-p/95030#M982 <P>The non-si version of the search properly returns 3 columns.</P> <P>sourcetype=\"SmtpPrevent_operational\" dtime=*s | convert auto(dtime) | search dtime&gt;=60 | timechart span=1d count(eval(dtime&gt;=60)) as 60+, count(eval(dtime&gt;=120)) as 120+, count(eval(dtime&gt;=180)) as 180+'</P> Tue, 23 Oct 2012 15:30:57 GMT https://community.splunk.com/t5/Knowledge-Management/Search-Only-Returning-One-Column/m-p/95030#M982 whod81 2012-10-23T15:30:57Z