@sbimizry what is the field containing epoch time in your lookup? Or do you have time in lookup available as String time? In either case community would be able to assist you better if you provide field names with some sample data from your lookup file.
time field 2019/01/01 20:08:00 value1 2019/01/01 20:09:00 value1 2019/01/01 20:10:00 value1 2019/01/01 20:08:00 value2 2019/01/01 20:10:00 value2
Then following would be the query. If time in lookup is String time following eval with
strptime() would be required to convert string time to epoch. Otherwise _time can be directly overridden with
| eval _time=time when time field is already epoch time.
| inputlookup lookupname | eval _time=strptime(time,"%Y/%m/%d %H:%M:%S") | chart sparkline count by field
are you sure, that your inputlookup is delivering some fields+values? Do you use the right fieldname to count? Is this fieldname available in your lookup output?
I tested it, there are no problems right now.
Could you plz try the following:
| inputlookup lookupfile.csv
If yes, try:
| inputlookup lookupfile.csv | chart sparkline count by field_you_are_looking_for