https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-timechart-search-to-find-how-many-fields-were/m-p/200438#M58108 <P>The timechart command requires field _time to be present in the resultset. Which field can be used to calculate _time?</P> Thu, 15 Dec 2016 20:49:05 GMT somesoni2 2016-12-15T20:49:05Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-timechart-search-to-find-how-many-fields-were/m-p/200437#M58107 <P>i have table like this </P> <PRE><CODE>id info starttime endtime responsetime source 2 inbound time1 time2 1sec raja outbound 3 inbound time3 time4 3 sec raja1 outbound </CODE></PRE> <P>i need to find out the timechart; like in 1 hr, how many id's were processed in 24 hrs<BR /> i am trying to do <CODE>timechart span=1h count(id) by source</CODE><BR /> but I am getting error, could someone please help me?<BR /> thanks. </P> Thu, 15 Dec 2016 20:39:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-timechart-search-to-find-how-many-fields-were/m-p/200437#M58107 prashanthberam 2016-12-15T20:39:26Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-timechart-search-to-find-how-many-fields-were/m-p/200438#M58108 <P>The timechart command requires field _time to be present in the resultset. Which field can be used to calculate _time?</P> Thu, 15 Dec 2016 20:49:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-timechart-search-to-find-how-many-fields-were/m-p/200438#M58108 somesoni2 2016-12-15T20:49:05Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-timechart-search-to-find-how-many-fields-were/m-p/200439#M58109 <PRE><CODE>index=**** source="****" "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Outbound Message" OR "Inbound Message" OR "getProcedureDetailBlueChip response time returning procedure details" OR "memZipCode assigned to zipCode" OR "provZipCode assigned to zipCode" OR "Begin getProcedureDetailBluChip"|rex "(?Inbound|Outbound)" | rex "ID:(?.*)" |rex "(?m)\(?.*)"|rex "(?m)\(?.*)" |stats max(_time) as startTime,min(_time) as endTime,values(info) as Info,values(ResponseTime) as responseTime,values(StatusCode) as StatusCode,values(message) as StatusMessage by id,source |eval responseTime=startTime-endTime |eval StartTime=strftime(startTime,"%Y-%m-%d %H:%M:%S,%3N")|eval EndTime=strftime(endTime,"%Y-%m-%d %H:%M:%S,%3N") |table id,Info,StartTime,EndTime,responseTime,StatusCode,StatusMessage,source </CODE></PRE> <P>my query like this i am trying to put the _time field in it , could you please suggest me..thanks...</P> Thu, 15 Dec 2016 21:06:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-timechart-search-to-find-how-many-fields-were/m-p/200439#M58109 prashanthberam 2016-12-15T21:06:59Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-timechart-search-to-find-how-many-fields-were/m-p/200440#M58110 <P>Try this (check the rex command as it was truncated in your comments)</P> <PRE><CODE>index=**** source="****" "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Outbound Message" OR "Inbound Message" OR "getProcedureDetailBlueChip response time returning procedure details" OR "memZipCode assigned to zipCode" OR "provZipCode assigned to zipCode" OR "Begin getProcedureDetailBluChip"|rex "(?Inbound|Outbound)" | rex "ID:(?.*)" |rex "(?m)\(?.*)"|rex "(?m)\(?.*)" | timechart span=1h dc(id) by source </CODE></PRE> Thu, 15 Dec 2016 21:09:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-timechart-search-to-find-how-many-fields-were/m-p/200440#M58110 somesoni2 2016-12-15T21:09:51Z