Hi jkat54,

I think using timechart will show my time as _time which is the time the log file was saved. I had a strftime() to extract the timestamp out in the log for my x-axis.

The value(light_status_ seems to show 0 values too, not sure why.

Try this:

sourcetype="Light" index=_* OR index=* sourcetype="Light" |rex field=_raw "\"endpointKeyHash\":{\"string\":\"(?[^\"])\".\"Event\": (?{.*})}$"| spath input=mydata | eval light_status = If(IsOn == "true","1","0") |timechart values(light_status)

Is sourcetype="Light" index=_* OR index=* sourcetype="Light" supposed to be

(sourcetype="Light" index=_*) OR (index=* sourcetype="Light")?

Because as is, it will only apply the OR to the index values.

[No answer to your origin question, but hopefully helpful]
Your search term includes two times 'sourcetype="Light"'. As OR has priority over (implicit) AND the search does probably not what you intended. Also I assume that "Light" or "IoT Light" is not in the internal indexes (starting with "_...") so you could leave them out. Further speed up could be achieved by only naming the index(es), that actually contain(s) the named sourcetype.

@wuming79, how frequently are you polling light_status (real-time or with slight delay lets say 1min or 5 min)?

You seem to have too many data points on x-axis and since you are not using timechart command you are not getting x-axis time range adjusted.

You can try following couple of thing :
1) From the Format option in the Line Chart Visualization (as shown in your screenshot), for X- Axis select Label Rotation as -90 degrees
2) Choose a smaller Time Range (like last 5 min or last 15 min), so that you have less data points on x-axis (Try with 50 or less row in Statistics values)

Eventually you might have to consider streamstats and/or timechart command to plot your data.