At the moment there is no result....the expectation is to get the sum of the CPU time over a period of last 7 days for each workload. Currently I am extracting the CPU time from the data. The CPU time in the original data is in seconds.

So you'll want to debug your query to figure out why there are no results.

Start with the minimum commands to verify you get the expected events and fields.

index= foo 
| rex field=DATA "\S(?<DATE>.{10})(?<WORKLOAD>.{3})\S.{137}(?<CPU>.{7}).*"

If that works, add one command at a time until you get no results.  The last command added likely is the cause.

Hi Rich,

I did do that over the weekend, and the problem is with the Stats sum(.....) command. I dont see any results after adding that command.

I just replaced it with 

| stats values(CPUTIME) as CPU_TIME_SEC by WORKLOAD

and I get the following result....its the CPU time in seconds for the last 7 days. 

F91	3372 3488 3522 4932 14322
F92	733 736 741 785 970

Are there events where the WORKLOAD field is NULL? If so, that will prevent stats from producing results.
Also, do the blank lines in the upper-right box above indicate missing data? That also could affect stats.

I am working with a different query for Online CPU time in seconds and in that query the stats sum command work.

here is the other query...

| rex field=DATA "\S(?<DATE>.{10})(?<WORKLOAD>.{3})\S.{137}(?<CPU>.{7}).*"
| where WORKLOAD in("F91","F92","FA1","FA2","FA3","FB2","FC4","FC5","FC6","FH1","FH2","FH3","FH4","FNC","FSC")
| eval CPU_min=(CPU/60)
| eval CPU_MIN=round(CPU_min, 2)
| table WORKLOAD CPU_MIN
| stats sum(CPU_MIN) as ONLINE_CPU_TIME by WORKLOAD

I wonder if convert is throwing things off in the first search.

without the convert command also I am seeing the same problem....the original data is in seconds.

No there is no missing data.. and the lines are not blank. I just copied the second set of results instead of typing hence you see the difference between F91 and F92