Try this and adjust to your case
index=_internal
| bucket _time span=1h
| chart count by source, _time
| addtotals
Hi Alaza,
only few additional information to better understand your needs:
From your picture I see that you haven't weekends, you can filter results putting date_wday!=sunday OR date_waday!=saturday
in your main search.
In other words, try something like this
index="Ico_number" date_wday!=sunday OR date_waday!=saturday
| timechart span=1d count by Type_Group
Bye.
Giuseppe
Type_Group is a field and I can't display the value like the picture, weekend or not.
Ok this probably is the reason because your search doesn't run, if you put a field in a search you have to assign a value, something like this
index="Ico_number" Type_Group=*
otherwise Splunk interpretes "Type_Group" as a string to search.
So try something like this
index="Ico_number" Type_Group=*
| timechart span=1d count by Type_Group
Bye.
Giuseppe
Thanks for your help, it works now.
Try this and adjust to your case
index=_internal
| bucket _time span=1h
| chart count by source, _time
| addtotals