I have a query which uses the summary index and some lookup tables with eval conditions and ends with...
| chart count by field_a, field_b
...which is working fine and gives me the statistics. But, when I tried the same query by replacing the "chart count by" with "timechart count by", it gives me an error as follows and doesn't work:
error:- Error in 'timechart' command: The argument 'field_b' is invalid.
Could anyone explain why the query with timechart doesn't work but the query with chart did?
The main thing is
timechart doesn't let you do include multiple fields in its by clause. Commands like
chart do. You can also fake it by concatenating your two fields into one, and using that in
| eval marker=field_a+field_b | timechart count by marker
This is what I usually do, with the only change I concatenate using the period "." symbol to eliminate possible weirdness with it trying to add numeric values together.
| eval marker=field_a.field_b | timechart count by marker