https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-row-data/m-p/538861#M152383 <P>I think you already have everything you need.&nbsp; There's no need to convert the date field because it's already in epoch form.&nbsp; You do need to assign date to _time, however.&nbsp; Try this query.</P><LI-CODE lang="markup">| inputlookup mycsv.csv | eval _time = date | timechart max(Total) as Total by Source</LI-CODE> Sat, 06 Feb 2021 13:04:49 GMT richgalloway 2021-02-06T13:04:49Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-row-data/m-p/538842#M152370 <P>I have search that runs every day that populates a CSV that looks like this (I have more sources, but wanted to keep it more simple to explain):<BR /><BR /></P><TABLE border="1" width="100.02510670348984%"><TBODY><TR><TD width="14.285714285714286%" height="25px">Source</TD><TD width="14.285714285714286%" height="25px">Total</TD><TD width="14.285714285714286%" height="25px">Server</TD><TD width="14.285714285714286%" height="25px">Workstation</TD><TD width="14.285714285714286%" height="25px">Other</TD><TD width="7.142857142857143%" height="25px">Unknown</TD><TD width="7.142857142857143%">date</TD></TR><TR><TD width="14.285714285714286%" height="25px">norton</TD><TD width="14.285714285714286%" height="25px">735</TD><TD width="14.285714285714286%" height="25px">178</TD><TD width="14.285714285714286%" height="25px">542</TD><TD width="14.285714285714286%" height="25px">5</TD><TD width="7.142857142857143%" height="25px">10</TD><TD width="7.142857142857143%"><SPAN>1612548722</SPAN></TD></TR><TR><TD width="14.285714285714286%" height="25px">nessus&nbsp;</TD><TD width="14.285714285714286%" height="25px">857</TD><TD width="14.285714285714286%" height="25px">8</TD><TD width="14.285714285714286%" height="25px">829</TD><TD width="14.285714285714286%" height="25px">9</TD><TD width="7.142857142857143%" height="25px">11</TD><TD width="7.142857142857143%"><SPAN>1612548722</SPAN></TD></TR></TBODY></TABLE><P><BR /><BR />I would like a time graph to show each source over time, is this possible? I've tried a few methods, but can't seem to manipulate the data to get it to work right.&nbsp; I know the data will have to be converted using SPL like this&nbsp;&nbsp;|fieldformat date = strftime(date, "%m/%d/%Y").<BR /><BR />Any ideas how how to make a time graph by source over time?&nbsp;<BR /><BR />Thanks!</P> Fri, 05 Feb 2021 22:36:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-row-data/m-p/538842#M152370 UMDTERPS 2021-02-05T22:36:24Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-row-data/m-p/538861#M152383 <P>I think you already have everything you need.&nbsp; There's no need to convert the date field because it's already in epoch form.&nbsp; You do need to assign date to _time, however.&nbsp; Try this query.</P><LI-CODE lang="markup">| inputlookup mycsv.csv | eval _time = date | timechart max(Total) as Total by Source</LI-CODE> Sat, 06 Feb 2021 13:04:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-row-data/m-p/538861#M152383 richgalloway 2021-02-06T13:04:49Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-row-data/m-p/539015#M152442 <P>Works! Thanks!</P> Mon, 08 Feb 2021 16:16:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-row-data/m-p/539015#M152442 UMDTERPS 2021-02-08T16:16:44Z