https://community.splunk.com/t5/Splunk-Search/search-stats/m-p/673669#M230665 <P>The field _time needs to be available at the time of using the "| timechart " command<BR /><BR />you example of:<BR /><SPAN>index=prueba source="*blablabla*"&nbsp;</SPAN><BR /><SPAN>| eval Date=strftime(_time,"%Y/%m/%d")</SPAN><BR /><SPAN>| eval Time=strftime(_time,"%H:%M:%S")</SPAN><BR /><SPAN>| eval Fecha=strftime(_time,"%Y/%m/%d %H:%M:%S")</SPAN><BR /><SPAN>| rex "^.+transactType:\s(?P&lt;transactType&gt;(.\w+)+)"</SPAN><BR /><EM><STRONG>| stats values(Fecha) as Fecha, values(transactType) as transactType by ID</STRONG></EM><BR /><SPAN>| timechart span=5m count by transactType<BR /><BR /></SPAN>is not carrying over the_time field from the raw events.<BR />In the bolded SPL above the stats transformation will need some sort of method of carrying over the&nbsp;<EM>_time</EM> field<BR /><BR />I would recommend either a</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup"> | stats earliest(_time) as _time, values(Fecha) as Fecha, values(transactType) as transactType by ID | timechart span=5m count as count by transactType</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>OR a&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup"> | stats latest(_time) as _time, values(Fecha) as Fecha, values(transactType) as transactType by ID | timechart span=5m count as count by transactType</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>(depending on what makes more sense for your scenario)&nbsp;<BR /><BR />So example of your Full SPL would look something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">index=prueba source="*blablabla*" ``` The field ID is assumed to already be extracted ``` ``` regex extraction of transactType field ``` | rex "^.+transactType:\s(?P&lt;transactType&gt;(.\w+)+)" ``` transform raw events to singular events, each representing a unique ID with their own list of tranactType value and _time value ``` | stats latest(_time) as _time, values(transactType) as transactType by ID ``` make a time series tallying up all the unique IDs belonging to the unique transactType values in 5 minute buckets ``` | timechart span=5m count as count by transactType</LI-CODE><P>&nbsp;</P> Tue, 09 Jan 2024 16:22:56 GMT dtburrows3 2024-01-09T16:22:56Z https://community.splunk.com/t5/Splunk-Search/search-stats/m-p/673665#M230664 <P>Hi,</P> <P>I have a log with several transactions, each one have some events. All event in one transaction share the same ID. The other events contains some information each one, for example, execution time, transact type, url. login url, etc.... This fields can be in one or several of the events.</P> <P>I want to obtain the total transactions of each type in spanned time, for example each 5m.</P> <P>I need to group the events of each trasaction for extract the info for it.</P> <LI-CODE lang="markup">index=prueba source="*blablabla*" | eval Date=strftime(_time,"%Y/%m/%d") | eval Time=strftime(_time,"%H:%M:%S") | eval Fecha=strftime(_time,"%Y/%m/%d %H:%M:%S") | rex "^.+transactType:\s(?P&lt;transactType&gt;(.\w+)+)" | stats values(Fecha) as Fecha, values(transactType) as transactType by ID</LI-CODE> <P>This is Ok, if i want count transactType then i do:</P> <LI-CODE lang="markup">index=prueba source="*blablabla*" | eval Date=strftime(_time,"%Y/%m/%d") | eval Time=strftime(_time,"%H:%M:%S") | eval Fecha=strftime(_time,"%Y/%m/%d %H:%M:%S") | rex "^.+transactType:\s(?P&lt;transactType&gt;(.\w+)+)" | stats values(Fecha) as Fecha, values(transactType) as transactType by ID |stats count by transactType</LI-CODE> <P>The problem is if i want to obtain that in a span time:<BR />I cant do this because there is some events with the transactType field in one transaction:</P> <LI-CODE lang="markup">index=prueba source="*blablabla*" | eval Date=strftime(_time,"%Y/%m/%d") | eval Time=strftime(_time,"%H:%M:%S") | eval Fecha=strftime(_time,"%Y/%m/%d %H:%M:%S") | rex "^.+transactType:\s(?P&lt;transactType&gt;(.\w+)+)" | timechart span=5m count by transactType</LI-CODE> <P>And following query dont give me any result:</P> <LI-CODE lang="markup">index=prueba source="*blablabla*" | eval Date=strftime(_time,"%Y/%m/%d") | eval Time=strftime(_time,"%H:%M:%S") | eval Fecha=strftime(_time,"%Y/%m/%d %H:%M:%S") | rex "^.+transactType:\s(?P&lt;transactType&gt;(.\w+)+)" | stats values(Fecha) as Fecha, values(transactType) as transactType by ID | timechart span=5m count by transactType</LI-CODE> <P>Im tried too (but i dont get results):</P> <LI-CODE lang="markup">index=prueba source="*blablabla*" | eval Date=strftime(_time,"%Y/%m/%d") | eval Time=strftime(_time,"%H:%M:%S") | eval Fecha=strftime(_time,"%Y/%m/%d %H:%M:%S") | rex "^.+transactType:\s(?P&lt;transactType&gt;(.\w+)+)" | bucket Fecha span=5m | stats values(Fecha) as Fecha, values(transactType) as transactType by ID |stats count by transactType</LI-CODE> <P>Or:</P> <LI-CODE lang="markup">index=prueba source="*blablabla*" | eval Date=strftime(_time,"%Y/%m/%d") | eval Time=strftime(_time,"%H:%M:%S") | eval Fecha=strftime(_time,"%Y/%m/%d %H:%M:%S") | rex "^.+transactType:\s(?P&lt;transactType&gt;(.\w+)+)" | stats values(Fecha) as Fecha, values(transactType) as transactType by ID | bucket Fecha span=5m |stats count by transactType</LI-CODE> <P>How can i obtain what i want?</P> <P>&nbsp;</P> Wed, 10 Jan 2024 09:05:13 GMT https://community.splunk.com/t5/Splunk-Search/search-stats/m-p/673665#M230664 asncari 2024-01-10T09:05:13Z https://community.splunk.com/t5/Splunk-Search/search-stats/m-p/673669#M230665 <P>The field _time needs to be available at the time of using the "| timechart " command<BR /><BR />you example of:<BR /><SPAN>index=prueba source="*blablabla*"&nbsp;</SPAN><BR /><SPAN>| eval Date=strftime(_time,"%Y/%m/%d")</SPAN><BR /><SPAN>| eval Time=strftime(_time,"%H:%M:%S")</SPAN><BR /><SPAN>| eval Fecha=strftime(_time,"%Y/%m/%d %H:%M:%S")</SPAN><BR /><SPAN>| rex "^.+transactType:\s(?P&lt;transactType&gt;(.\w+)+)"</SPAN><BR /><EM><STRONG>| stats values(Fecha) as Fecha, values(transactType) as transactType by ID</STRONG></EM><BR /><SPAN>| timechart span=5m count by transactType<BR /><BR /></SPAN>is not carrying over the_time field from the raw events.<BR />In the bolded SPL above the stats transformation will need some sort of method of carrying over the&nbsp;<EM>_time</EM> field<BR /><BR />I would recommend either a</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup"> | stats earliest(_time) as _time, values(Fecha) as Fecha, values(transactType) as transactType by ID | timechart span=5m count as count by transactType</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>OR a&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup"> | stats latest(_time) as _time, values(Fecha) as Fecha, values(transactType) as transactType by ID | timechart span=5m count as count by transactType</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>(depending on what makes more sense for your scenario)&nbsp;<BR /><BR />So example of your Full SPL would look something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">index=prueba source="*blablabla*" ``` The field ID is assumed to already be extracted ``` ``` regex extraction of transactType field ``` | rex "^.+transactType:\s(?P&lt;transactType&gt;(.\w+)+)" ``` transform raw events to singular events, each representing a unique ID with their own list of tranactType value and _time value ``` | stats latest(_time) as _time, values(transactType) as transactType by ID ``` make a time series tallying up all the unique IDs belonging to the unique transactType values in 5 minute buckets ``` | timechart span=5m count as count by transactType</LI-CODE><P>&nbsp;</P> Tue, 09 Jan 2024 16:22:56 GMT https://community.splunk.com/t5/Splunk-Search/search-stats/m-p/673669#M230665 dtburrows3 2024-01-09T16:22:56Z https://community.splunk.com/t5/Splunk-Search/search-stats/m-p/673680#M230666 <P>I've tried this, but without de "as _time" Now works perfect.</P><P>Thank you very much!!!!!</P> Tue, 09 Jan 2024 17:09:13 GMT https://community.splunk.com/t5/Splunk-Search/search-stats/m-p/673680#M230666 asncari 2024-01-09T17:09:13Z