topic Re: Why is my stats command with timechart producing null values for a field? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-is-my-stats-command-with-timechart-producing-null-values-for/m-p/249181#M74410 <P>You'll need a "by-clause" in the stats or timechart command. <CODE>BY _time</CODE> not <CODE>AS _time</CODE>. One creates a column, the other creates a row.. Timechart is looking for columns by rows of time.</P> <P>Try these:</P> <PRE><CODE>index=ide | stats count(eval(msgId=15)) as TIMEOUT, count(eval(msgId=12)) as REQUEST, max(_time) as _time | eval fraction = TIMEOUT/REQUEST*100 | timechart max(fraction) by _time index=ide | stats count(eval(msgId=15)) as TIMEOUT, count(eval(msgId=12)) as REQUEST, max(_time) as maxtime by _time | eval fraction = TIMEOUT/REQUEST*100 | timechart max(fraction) index=ide | stats count(eval(msgId=15)) as TIMEOUT, count(eval(msgId=12)) as REQUEST by _time | eval fraction = TIMEOUT/REQUEST*100 | timechart max(fraction) max(_time) </CODE></PRE> <P>Wait, why are we getting max(_time)? Anytime you manipulate _time you cause problems. Problems that can be fixed but i'm just trying to understand why you need the maximum thereof.</P> Wed, 27 Jan 2016 16:26:49 GMT jkat54 2016-01-27T16:26:49Z Why is my stats command with timechart producing null values for a field? https://community.splunk.com/t5/Splunk-Search/Why-is-my-stats-command-with-timechart-producing-null-values-for/m-p/249180#M74409 <P>My stats command is working, but when I pump it into timechart, it shows null values for fraction:</P> <PRE><CODE>index=ide | stats count(eval(msgId=15)) as TIMEOUT, count(eval(msgId=12)) as REQUEST, max(_time) as _time | eval fraction = TIMEOUT/REQUEST*100 | timechart max(fraction) </CODE></PRE> <P>Any idea what I am missing here?</P> <P>Thanks</P> Wed, 27 Jan 2016 15:54:45 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-stats-command-with-timechart-producing-null-values-for/m-p/249180#M74409 brian38401 2016-01-27T15:54:45Z Re: Why is my stats command with timechart producing null values for a field? https://community.splunk.com/t5/Splunk-Search/Why-is-my-stats-command-with-timechart-producing-null-values-for/m-p/249181#M74410 <P>You'll need a "by-clause" in the stats or timechart command. <CODE>BY _time</CODE> not <CODE>AS _time</CODE>. One creates a column, the other creates a row.. Timechart is looking for columns by rows of time.</P> <P>Try these:</P> <PRE><CODE>index=ide | stats count(eval(msgId=15)) as TIMEOUT, count(eval(msgId=12)) as REQUEST, max(_time) as _time | eval fraction = TIMEOUT/REQUEST*100 | timechart max(fraction) by _time index=ide | stats count(eval(msgId=15)) as TIMEOUT, count(eval(msgId=12)) as REQUEST, max(_time) as maxtime by _time | eval fraction = TIMEOUT/REQUEST*100 | timechart max(fraction) index=ide | stats count(eval(msgId=15)) as TIMEOUT, count(eval(msgId=12)) as REQUEST by _time | eval fraction = TIMEOUT/REQUEST*100 | timechart max(fraction) max(_time) </CODE></PRE> <P>Wait, why are we getting max(_time)? Anytime you manipulate _time you cause problems. Problems that can be fixed but i'm just trying to understand why you need the maximum thereof.</P> Wed, 27 Jan 2016 16:26:49 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-stats-command-with-timechart-producing-null-values-for/m-p/249181#M74410 jkat54 2016-01-27T16:26:49Z