Ok we changed the way the log was displaying the data, I did add the SHOULD_LINEMERGE after it still was being cheeky, and then tried your search and it works great. thanks for all the advice and assistance. Tricky but finally enjoying the chart!

I see now what you guys were talking about with mvzip and mvexpand. But I wouldn't bother with that - this data shouldn't be multiline so just reindex with SHOULD_LINEMERGE="False" and I think it'll show up. I don't think xyseries can deal with multivalue fields and maybe it just quietly fails.

If I change the order of the fields after xyseries i start to see at least a legend but I haven't been able to get the data to show up

well the data is extracted into fields so i don't see how it really matters. It's just odd

Weird. they removed it from the menu. You can see it if you just manually replace "flashtimeline" with "charting" in the URL. but it doesn't matter. I just ran an xyseries search in the flashtimeline view and it should run fine there.

index=_internal source=*metrics.log group=per_sourcetype_thruput | xyseries _time series kb

And ABSOLUTELY. If you're indexing these events as giant multiline events, then who knows what's happening but that's probably the reason. Fix that and reindex the data and it should make a lot more sense.

Where is this? I'm in the search app, I run the search, I don't see any option for advanced charting? I also tried adding | fields - NULL OTHER to the end of the search but that didn't do anything. So you understand I'm running this independent of an advanced xml dashboard config. I'm running this in the search app.

run it in the advanced charting view, not in flashtimeline. Also is it possible that "everything being blank" is just because the first page is all null values? can you throw in a | search event=* Avg=* to restrict your incoming events to only the events that are going to be meaningful?

I don't even get a chart or those chart options. On a side note i'm going to do an experiment to have the logs separate each event into its own line and try charting that way. I'm not sure if this is being strange because of the grouping of this data as one event.

If I use
sourcetype="ec2_web" "[EVENTS]" | rex field=_raw "\d:\s+(?[\w+\s]+?)\s+(?\d)\s+(?\d+.\d+)" max_match=100 | rex field=source "/(?

So you can see _time values in the table, and you can see values of the event field across the columns of the table, and there are Avg values populating the table, but nothing shows up.

What kind of chart type are you using? When you create a report this way with no aggregation there are lots of null values in the data, and when there are lots of null values, if you are using "line" chart, with "nullValueMode" left at it's default of "gaps" and "showMarkers" left at its default of "False", then the chart will literally display nothing... Change the above settings or the chart type.

The numbers are displayed in milliseconds. Perhaps I should try changing milliseconds to seconds?

It's strange but this didn't work either. I'm wondering if it has something to do with how this data is presented. I'm going to try a few more things. Whatever help you have given is greatly appreciated though. It's strange but when using xy series, nothing shows up. It's just all blank.