are you sure, that your inputlookup is delivering some fields+values? Do you use the right fieldname to count? Is this fieldname available in your lookup output?
I tested it, there are no problems right now.
Could you plz try the following:
| inputlookup lookupfile.csv
If yes, try:
| inputlookup lookupfile.csv | chart sparkline count by fieldyouarelookingfor
@sbimizry what is the field containing epoch time in your lookup? Or do you have time in lookup available as String time? In either case community would be able to assist you better if you provide field names with some sample data from your lookup file.
time field 2019/01/01 20:08:00 value1 2019/01/01 20:09:00 value1 2019/01/01 20:10:00 value1 2019/01/01 20:08:00 value2 2019/01/01 20:10:00 value2
Then following would be the query. If time in lookup is String time following eval with
strptime() would be required to convert string time to epoch. Otherwise _time can be directly overridden with
| eval _time=time when time field is already epoch time.
| inputlookup lookupname | eval _time=strptime(time,"%Y/%m/%d %H:%M:%S") | chart sparkline count by field
I did it, but it doesn’t work.
Example my data:
result_time name 1565083380 value1 1565083230 value1 1565087350 value2 1565078330 value3 1565066540 value2