Here is a runanywhere example - the part before the blank lines just sets up the dummy data

| makeresults
| eval _raw="_time(s)	sourcetype	country
0	app1	US
1	app1	DE
2	app2	DE
65	app2	US
66	app2	US
67	app1	DE"
| multikv forceheader=1
| eval _time=relative_time(_time,"@m")+time_s_
| bin _time span=1m



| stats count by _time sourcetype country
| eval results="\"".country."\": ".count
| stats values(results) as results by _time sourcetype
| eval results="{".mvjoin(results,", ")."}"
| xyseries _time sourcetype results