hey guys,

i m planning to draw a trend using timechart command , for some reason the timechart command showing no results but when i used stats or chart command its functioning correct.

following is the query i m using, can any one help me to get the correct query

| inputlookup SLA.csv | rex field=SOR_TDQ_FAIL_SLA_THRESHOLD "(?P.)\,(?.)" | eval sla_time = case(date="BUS_DT+1",strftime(now(),"%Y-%m-%d").",".time,date="BUS_DT+0",strftime(relative_time(time(), "-d"),"%Y-%m-%d".",".time)) | eval sla_time=replace (sla_time,","," ") | eval sla_time=sla_time + ":00" | table SOR_NAME FEED_NAME sla_time | dedup SOR_NAME FEED_NAME | join type=outer SOR_NAME FEED_NAME [search index=xxx source=xxx earliest_time=@d |rex "info\s:\s+{4}\sSTARTED\s+{4}\sJob run_ingest_(?\w+)(?\d+-\d+-\d+-\d+-\d+-\d+)"|rex field=Datafeed_name "^(?\w{2,5})_(?\w+)$" | eval FILE_ARRIVALTIME = strftime(strptime(start_time,"%Y-%m-%d-%H-%M-%S") ,"%Y-%m-%d %H:%M:%S") | eval FILE_ARRIVALTIME_epoch=strptime(FILE_ARRIVALTIME,"%Y-%m-%d %H:%M:%S") |fields SOR_NAME FEED_NAME FILE_ARRIVALTIME FILE_ARRIVALTIME_epoch] | eval now_time=strftime(now(), "%Y-%m-%d %H:%M:%S") | eval now_time_epoch = strptime(now_time,"%Y-%m-%d %H:%M:%S") | eval sla_time_epoch = strptime(sla_time,"%Y-%m-%d %H:%M:%S") | eval time_diff_epoch =sla_time_epoch-FILE_ARRIVALTIME_epoch | fillnull value="0" FILE_ARRIVALTIME_epoch| where FILE_ARRIVALTIME_epoch!=0 |table SOR_NAME FEED_NAME sla_time_epoch FILE_ARRIVALTIME_epoch time_diff_epoch | eval sla_status=case(time_diff_epoch >= 0 , "Completed", time_diff_epoch <= 0 , "Missed SLA",1 = 1, "RISK") |timechart count(FEED_NAME) by sla_status