I have updated my original question.

Could you also post the query that you use with chart command? Do you select pie visualization for both?

Options? I don't believe I understand the question. The original question shows my entire search string.

did you tried something like this using chart instead timechart?

index="ips_snaplogic""postsales" lvl="ERROR"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| bin _time span=1h 
| chart count over _time BY msg

Bye.
Giuseppe

Now I am getting a chart, but the error message isnt showing.

Here is a screenshot.

https://imgur.com/a/NZTJC

Thanks again.

revie the message field extraction
Bye.
Giuseppe

This | spath output=msg path=Detail.error.message.message should be replaced with this | spath output=msg path=Detail.error.message

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

Thanks for the response, I am having the same results though.

@zerocalm - try again. There was an extra .message in the code, probably inserted somehow when you changed timechart to chart.

|makeresults 
| eval _raw="//XXX/projects/Sales_PostSales_processPostSaleOrder_VIP_CCT:{  
    \"Service\":\"Enterprise Sales\",
    \"Date\":\"09/19/2017 08:44:41.466\",
    \"Environment\":\"XXX\",
    \"Debug\":\"Error\",
    \"Source\":\"PostSalesIntegration\",
    \"Description\":\"Error::processPostSaleOrder_VIP_CCT. Error occurred while trying to process the message. Failed to execute HTTP request\",
    \"Message_Unique_Id\":null,
    \"Message_qualifier\":null,
    \"JMSMessageID\":null,
    \"Detail\":{  
       \"error\":{  
          \"message\":\"Failed to execute HTTP request\",
          \"reason\":\"Read timed out\",
          \"resolution\":\"Please check the Snap properties.\"
       }"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message

Thanks, I removed the extra .message, and I am still getting the same results.

Screenshot:

https://imgur.com/PQA6itN