https://community.splunk.com/t5/Splunk-Search/tstats-timechart/m-p/295239#M89105 <P>To add to this post for future readers, if you did want to use tstats, then you could using the following syntax:</P> <PRE><CODE>| tstats count WHERE (index=*) BY index _time span=1d prestats=t | timechart span=1d count by index </CODE></PRE> <P>adjust the span period (on both lines as they must match) to whatever you prefer based on your search (1h, 4h, 5m, etc...)</P> Tue, 11 Sep 2018 14:57:40 GMT DEAD_BEEF 2018-09-11T14:57:40Z https://community.splunk.com/t5/Splunk-Search/tstats-timechart/m-p/295237#M89103 <P>I am trying to do a time chart of available indexes in my environment , I already tried below query with no luck </P> <P>| tstats count where index=* by index _time</P> <P>but i want results in the same format as </P> <P>index=* | timechart count by index limit=50<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3622iD4E7C707B7D66B6D/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 12 Oct 2017 10:34:24 GMT https://community.splunk.com/t5/Splunk-Search/tstats-timechart/m-p/295237#M89103 kunalmao 2017-10-12T10:34:24Z https://community.splunk.com/t5/Splunk-Search/tstats-timechart/m-p/295238#M89104 <P>Hi kunalmao,<BR /> why you want to use tstats if the second solution solves your needs?<BR /> If the problem is performance, use <CODE>| metasearch</CODE> before index=*<BR /> Bye.<BR /> Giuseppe</P> Thu, 12 Oct 2017 10:44:36 GMT https://community.splunk.com/t5/Splunk-Search/tstats-timechart/m-p/295238#M89104 gcusello 2017-10-12T10:44:36Z https://community.splunk.com/t5/Splunk-Search/tstats-timechart/m-p/295239#M89105 <P>To add to this post for future readers, if you did want to use tstats, then you could using the following syntax:</P> <PRE><CODE>| tstats count WHERE (index=*) BY index _time span=1d prestats=t | timechart span=1d count by index </CODE></PRE> <P>adjust the span period (on both lines as they must match) to whatever you prefer based on your search (1h, 4h, 5m, etc...)</P> Tue, 11 Sep 2018 14:57:40 GMT https://community.splunk.com/t5/Splunk-Search/tstats-timechart/m-p/295239#M89105 DEAD_BEEF 2018-09-11T14:57:40Z https://community.splunk.com/t5/Splunk-Search/tstats-timechart/m-p/534833#M151149 <P>I would do it by including&nbsp; _time in the tstats' by statement<BR /><BR /></P><LI-CODE lang="markup">| tstats count where index=* by _time index | timechart span=1mon sum(count) by index</LI-CODE><P>&nbsp;</P> Tue, 05 Jan 2021 18:42:10 GMT https://community.splunk.com/t5/Splunk-Search/tstats-timechart/m-p/534833#M151149 guarisma 2021-01-05T18:42:10Z